Kubernetes Security Glossary and Term Map
Why this page exists: the main glossary now spans the full Product Security program, but Kubernetes introduces a dense cluster of platform-specific words that are easier to learn together. This page keeps the cloud-native terms in one place.
Editorial note: this page was seeded from the public Kubernetes Security Guide glossary at
k8s-security.guru/glossary/and then normalized against the official Kubernetes glossary and CNCF cloud-native terminology so the wording stays practical and vendor-neutral.
Best external glossaries to keep nearby
- Kubernetes Security Guide glossary: https://k8s-security.guru/glossary/
- Official Kubernetes glossary: https://kubernetes.io/docs/reference/glossary/
- CNCF cloud native glossary: https://glossary.cncf.io/
Core cluster and control-plane terms
| Term | Plain-English meaning | Why Product Security cares | Read next |
|---|---|---|---|
| Control plane | The administrative brain of the cluster: API server, scheduler, controllers, and usually etcd. | Whoever controls the control plane can reshape cluster trust, workload placement, and policy. | API server hardening; etcd backup; admission |
| Admission controller | A validation or mutation checkpoint in the API write path. | This is where mature platforms block unsafe images, missing labels, or prohibited pod settings before deploy. | PSA; Kyverno; Gatekeeper |
| Namespace | A logical boundary for names and often for ownership, quotas, and policy rollout. | Namespaces are not hard multi-tenant isolation, but they are a critical blast-radius and governance unit. | tenancy; RBAC; network policy |
| Service account | The identity used by a pod or controller inside the cluster. | Workload identity mistakes often start with overpowered or reused service accounts. | workload identity; projected tokens |
| RBAC | Role-Based Access Control for Kubernetes API actions. | The fastest way to lose control of a cluster is to give broad list/get/update permissions to the wrong principals. | least privilege; cluster-admin |
| NetworkPolicy | A Kubernetes resource that limits which pods may talk to which other pods. | Without policy, east-west traffic is often wider than teams think. | default deny; segmentation |
| Audit logging | Records of API activity and security-relevant changes in the cluster. | Needed for investigations, privileged-user oversight, and evidence collection. | immutable logging; runtime investigation |
Pod and workload isolation terms
| Term | Plain-English meaning | Why Product Security cares | Read next |
|---|---|---|---|
| securityContext | Pod or container settings for user/group IDs, privilege, seccomp, capabilities, and related runtime controls. | Many avoidable escapes and privilege escalations begin with weak securityContext defaults. |
restricted profile; seccomp; capabilities |
| Pod Security Standards (PSS) | The Kubernetes policy levels Privileged, Baseline, and Restricted. | Gives teams a common vocabulary for what โacceptable pod postureโ means. | PSA; exceptions |
| Pod Security Admission (PSA) | Namespace-level enforcement of Pod Security Standards. | A built-in baseline control for blocking obviously unsafe pod specs. | PSS rollout; namespace labels |
| seccomp | Linux syscall filtering for processes. | Reduces what a compromised process can ask the kernel to do. | AppArmor; SELinux |
| AppArmor | Path/profile-based Linux restrictions on process behavior. | Useful for workload confinement where the underlying node OS supports it. | seccomp; securityContext |
| SELinux | Label-based mandatory access control for Linux. | Common on enterprise Linux platforms and strong for pod-level containment when configured well. | labels; type enforcement |
| Capabilities | Fine-grained Linux privileges such as NET_ADMIN or SYS_ADMIN. |
Excess capabilities regularly undermine otherwise โnon-rootโ containers. | least privilege; rootless |
| RuntimeClass | Mapping of a pod to a runtime configuration such as a sandboxed runtime. | Helps apply stronger isolation to specific workload classes without redesigning the whole cluster. | gVisor; Kata; sandboxing |
| gVisor | A sandboxed container runtime that interposes on syscalls for stronger isolation. | Useful where workload risk justifies extra performance/operational trade-offs. | RuntimeClass; sandboxing |
Supply chain, secrets, and runtime terms
| Term | Plain-English meaning | Why Product Security cares | Read next |
|---|---|---|---|
| Image signing | Verifying that a container image came from the expected producer and was not tampered with. | Important when promotion and deployment should trust only approved artifacts. | Cosign; provenance; attestations |
| Provenance | A verifiable record of how the image or artifact was built. | Needed when you want more than โthe digest matchesโ and need build-path evidence. | SLSA; secure build factory |
| Secret | Confidential material such as credentials, tokens, or keys. | Teams often store too many long-lived secrets in clusters that should instead use workload identity. | External Secrets; Vault; KMS |
| Runtime signal | An event observed while the workload is running, such as a suspicious exec or unexpected capability use. | Runtime signals are how many container intrusions are noticed in practice. | Falco; eBPF; detections |
| Containment | A deliberate action to reduce attacker freedom during an incident. | In Kubernetes this may mean isolate namespace traffic, freeze rollout, revoke tokens, or cordon nodes. | investigation playbook; blast radius |
Five practical interpretation rules
- Pod-level hardening is necessary but not sufficient. Weak workload identity or cluster-admin rights can bypass โgood pod posture.โ
- Namespace is a governance unit, not magical isolation. Treat it as a policy and ownership boundary, not as a guaranteed tenant boundary.
- Admission and runtime solve different problems. Admission stops bad intent from being deployed; runtime helps detect or contain what still happens.
- Signing without provenance is only partial trust. You often need both โwho signed thisโ and โhow was it built.โ
- A service account is an identity, not just a YAML field. Review it the same way you would review a privileged IAM role.
Suggested reading path
- Official Kubernetes glossary for canonical core terms.
- This page for Product Security translation.
- Container / Kubernetes / Platform Security โ Images, Admission, RBAC, Pod Hardening, Isolation, and GitOps / Deployment Plane
- Container Isolation โ seccomp, SELinux, AppArmor, Capabilities, gVisor, and Namespaces
- Cloud / Kubernetes Runtime Investigation Playbooks and Containment Templates