Security & Compliance
3 modules are currently being reworked. Watch this section over the next few days.
On-premises Kubernetes gives you physical control that cloud never can — but that control comes with responsibility. You own the hardware, the network perimeter, the key material, and every audit artifact. These modules cover the security and compliance concerns unique to self-hosted infrastructure.
Modules
Section titled “Modules”| Module | Topics | Complexity |
|---|---|---|
| Module 6.1: Physical Security & Air-Gapped Environments | Datacenter controls, disconnected clusters, Harbor registry, image mirroring, sneakernet updates, air-gapped GitOps | Advanced |
| Module 6.2: Hardware Security (HSM/TPM) | HSMs for key management, TPM measured boot, Vault + PKCS#11, on-prem KMS replacement, LUKS + TPM disk encryption | Advanced |
| Module 6.3: Enterprise Identity (AD/LDAP/OIDC) | Active Directory integration, LDAP, Keycloak, Dex OIDC, RBAC group mapping, SSO for dashboards | Medium |
| Module 6.4: Compliance for Regulated Industries | HIPAA physical controls, SOC 2, PCI DSS scope isolation, data sovereignty, K8s audit policy, evidence collection | Advanced |
| Workload Identity with SPIFFE/SPIRE | SPIFFE standard, SPIRE server and agent, node attestation, workload attestation, identity federation, mTLS | Advanced |
| Secrets Management on Bare Metal | HashiCorp Vault on-prem, auto-unseal with HSMs, External Secrets Operator, CSI Secrets Store, dynamic credentials | Advanced |
| Policy as Code & Governance | OPA Gatekeeper, Kyverno, mutating webhooks, image signature verification, compliance automation, guardrails | Medium |
| Zero Trust Architecture | Microsegmentation, identity-based routing, default deny policies, CNI network policies, Istio/Cilium strict mTLS | Advanced |
Prerequisites
Section titled “Prerequisites”- Fundamentals — Cloud Native 101, Kubernetes Basics
- CKS — Kubernetes security concepts
- Planning & Economics — Datacenter planning context
- Networking — Network segmentation and BGP
Who This Section Is For
Section titled “Who This Section Is For”- Security engineers responsible for hardening on-premises Kubernetes clusters
- Compliance officers mapping regulatory frameworks to Kubernetes infrastructure
- Platform teams integrating enterprise identity systems with Kubernetes RBAC
- Infrastructure architects designing air-gapped or classified environments