Security: RBAC, network policies, pod security, secrets management

Pod Security Standards and Admission Control

Securing a 5G Core on Kubernetes requires defense in depth across multiple layers. Pod Security Standards define three profiles: Privileged, Baseline, and Restricted. Telecom control plane NFs should run under the Restricted profile, using non-root users, read-only root filesystems, and dropping all Linux capabilities. Data plane NFs like UPF may require the Baseline profile due to their need for specific capabilities like NET_ADMIN for SR-IOV and SYS_RESOURCE for hugepages. Pod Security Admission controllers enforce these standards at the namespace level, preventing deployment of pods that…