Kubernetes security is one of the most critical and challenging aspects of running containerized workloads in production. With Kubernetes powering 90%+ of container orchestration, securing your clusters is not optional — it is essential. This guide covers every layer of K8s security, from cluster hardening to runtime protection.
Free Kubernetes Security Cheat Sheet
Pod Security Standards, RBAC, Network Policies, Secrets Management, and scanning tools in a printable PDF.
Download Free PDFTable of Contents
- Kubernetes Threat Landscape
- Security Layers
- Cluster Hardening
- RBAC
- Pod Security Standards
- Network Policies
- Secrets Management
- Image Security
- Runtime Security
- Scanning Tools
- Security Checklist
Kubernetes Threat Landscape
Common attack vectors in Kubernetes:
- Misconfigured RBAC — Overly permissive roles allowing privilege escalation
- Exposed dashboards — Kubernetes Dashboard, etcd, or API server publicly accessible
- Vulnerable images — Container images with known CVEs
- Container escape — Privileged containers breaking out to the host
- Secrets in plain text — Kubernetes Secrets are base64-encoded, not encrypted
- Lateral movement — Flat network allows pod-to-pod communication by default
- Supply chain attacks — Compromised base images or dependencies
Security Layers (Defense in Depth)
| Layer | What to Secure | Key Controls |
|---|---|---|
| Cluster | API server, etcd, kubelet | TLS, audit logging, encryption at rest |
| Authentication | User and service identity | OIDC, service accounts, no static tokens |
| Authorization | Access control | RBAC, least privilege, namespace isolation |
| Network | Pod communication | Network Policies, service mesh, mTLS |
| Pod | Container security | Pod Security Standards, security contexts |
| Image | Container images | Scanning, signing, minimal base images |
| Runtime | Running containers | Falco, seccomp, AppArmor/SELinux |
| Data | Secrets & config | External secrets, Vault, encryption |
Cluster Hardening
- API Server — Restrict access with firewall rules, enable audit logging, use OIDC for authentication
- etcd — Encrypt at rest, restrict network access, enable TLS client certificates
- Kubelet — Disable anonymous auth, enable webhook authentication, read-only port disabled
- CIS Benchmarks — Run kube-bench to validate cluster configuration against CIS Kubernetes Benchmark
RBAC (Role-Based Access Control)
RBAC is Kubernetes' built-in authorization mechanism. Key principles:
- Least privilege — Grant only the minimum permissions needed
- Namespace scoping — Use Roles (namespace) over ClusterRoles where possible
- No wildcard permissions — Avoid
resources: ["*"]orverbs: ["*"] - Service accounts per workload — Don't use the default service account
- Regular audits — Review RBAC bindings periodically with rbac-lookup or kubectl
Pod Security Standards
| Level | Restrictions | Use Case |
|---|---|---|
| Privileged | No restrictions (unrestricted) | System-level pods (CNI, storage) |
| Baseline | Blocks known privilege escalations | Default for most workloads |
| Restricted | Maximum security hardening | Untrusted/multi-tenant workloads |
Security Context Best Practices
runAsNonRoot: true— Never run containers as rootreadOnlyRootFilesystem: true— Prevent writes to container filesystemallowPrivilegeEscalation: false— Block privilege escalationcapabilities.drop: ["ALL"]— Drop all Linux capabilitiesseccompProfile.type: RuntimeDefault— Apply default seccomp profile
Network Policies
By default, all pods can communicate with all other pods in a Kubernetes cluster. Network Policies let you define firewall rules at the pod level.
Critical: Your CNI plugin must support Network Policies. Calico, Cilium, and Weave support them. The default kubenet does NOT. Without a supporting CNI, NetworkPolicy resources are silently ignored.
Network Policy Strategy
- Default deny all — Start by blocking all ingress/egress traffic
- Allow specific flows — Whitelist only required pod-to-pod communication
- Namespace isolation — Restrict cross-namespace traffic
- DNS egress — Allow port 53 to kube-dns for name resolution
Secrets Management
| Method | Security Level | Recommendation |
|---|---|---|
| K8s Secrets (default) | Low (base64 only) | Enable encryption at rest, minimum |
| Sealed Secrets | Medium | Good for GitOps workflows |
| External Secrets Operator | High | Recommended for production |
| HashiCorp Vault | Highest | Enterprise-grade, dynamic secrets |
Image Security
- Use minimal base images — distroless, Alpine, or scratch
- Pin image versions — Never use
:latesttag in production - Scan images — Trivy, Grype, Snyk in CI/CD pipeline
- Sign images — Cosign for image integrity verification
- Private registry — Don't pull from public registries in production
- Admission control — OPA/Gatekeeper or Kyverno to enforce image policies
Runtime Security
- Falco — Runtime threat detection based on syscall monitoring
- Seccomp profiles — Restrict which syscalls containers can make
- AppArmor/SELinux — Mandatory access control for containers
- Read-only filesystem — Prevent runtime modifications
- Resource limits — Set CPU/memory limits to prevent resource abuse
Scanning Tools
| Tool | Type | What It Scans |
|---|---|---|
| Trivy | All-in-one | Images, IaC, SBOM, misconfigs, secrets |
| Falco | Runtime | Syscalls, container behavior, anomalies |
| Kubescape | Compliance | NSA/CISA, MITRE, CIS Benchmarks |
| kube-bench | CIS Benchmark | Cluster config vs CIS K8s Benchmark |
| Polaris | Best practices | Deployment configs, security contexts |
| OPA Gatekeeper | Policy | Admission control with Rego policies |
Security Checklist
- Enable RBAC, disable ABAC
- Use Network Policies (default deny)
- Pod Security Standards: Restricted level
- No root containers (runAsNonRoot: true)
- Drop all capabilities
- Read-only root filesystem
- Encrypt etcd at rest
- Enable audit logging
- Use External Secrets or Vault
- Scan images in CI/CD
- Sign and verify images
- Runtime monitoring (Falco)
- Resource limits on all pods
- Regular CIS Benchmark scans
Download the K8s Security Cheat Sheet
Pod Security, RBAC, Network Policies, Secrets, and scanning tools reference.
Download Free PDF
