Policy, Secrets, And Supply Chain
Security controls should be composable: admission policy blocks unsafe Kubernetes intent, secret tooling controls credential lifecycle, and supply-chain checks constrain what code can run.
Capability split
| Capability | Tooling examples | Ownership |
|---|---|---|
| Admission policy | Kyverno, Gatekeeper, CEL admission | Platform security |
| Pod Security | Pod Security Admission | Platform team |
| Secrets sync | External Secrets Operator | Platform plus app teams |
| Secret sealing | Sealed Secrets | App teams with repo-based flow |
| Image provenance | Cosign, admission verification | Security and CI teams |
Policy rollout
- Audit mode to understand current violations.
- Warn mode with owner notifications.
- Enforce mode for new workloads.
- Exception process with expiry.
- Periodic review of policy relevance and bypasses.
Secret rules
- Do not store plaintext secrets in Git.
- Keep secret ownership close to the consuming app.
- Rotate credentials on schedule and on incident.
- Make restore dependency explicit: DR often fails because secrets cannot be recreated.
Failure modes
- Policy blocks production during outage because failurePolicy and webhook readiness were ignored.
- Secrets rotate but pods do not reload safely.
- Signed images are required but CI cannot produce signatures for all approved workflows.
- Exception labels become permanent bypasses.