Chapter 58: Production Security & Compliance

You build a cloud-security skill first, then apply it to harden your Kubernetes agent: identity, network, workloads, secrets, supply chain, and compliance checks.

---

Goals

• Apply the 4C’s model: Cloud → Cluster → Container → Code
• Enforce Kubernetes security: RBAC, NetworkPolicies, Pod Security Standards
• Harden containers: image scanning, non-root users, seccomp/apparmor
• Protect secrets: external stores and sealed/encrypted patterns
• Add compliance and auditing: policy-as-code, admission controls
• Capture security patterns in a reusable skill

---

Lesson Progression

• Build Your Cloud Security Skill (skill-first)
• Cloud/Cluster security: RBAC, NetworkPolicies, PSS
• Container security: scanning, users, seccomp/apparmor
• Secrets management and signing/supply-chain hygiene
• Compliance and policy-as-code (admission controls, audit)
• Capstone: hardened Task API deployment; finalize the skill

Each lesson ends with a reflection to test, find gaps, and improve.

---

Outcome & Method

You finish with a hardened, compliant Task API deployment and a reusable cloud-security skill. The chapter follows the skill-first pattern with a spec-driven capstone.

---

Prerequisites

• Chapters 49-56 (containerized, deployed, observable, routed service)
• Familiarity with GitOps to apply security manifests