Kubernetes Security: Container Hardening Checklist

Kubernetes is the de facto standard for container orchestration, but its default configuration is insecure. A misconfigured cluster can expose your entire infrastructure to attackers. This checklist covers the essential security hardening steps for production Kubernetes environments.

Cluster-Level Security

1. Enable RBAC and Disable Legacy ABAC

Role-Based Access Control (RBAC) should be the only authorization mode. Create specific roles for each team and service. Never use cluster-admin for day-to-day operations. Audit RBAC bindings regularly to identify excessive permissions.

2. Secure the API Server

The Kubernetes API server is the most critical component. Restrict access to the API server to known CIDR ranges. Enable audit logging. Use OIDC authentication integrated with your identity provider. Disable anonymous authentication.

3. Enable Admission Controllers

Admission controllers intercept requests to the API server before objects are created. Essential controllers include:

• PodSecurity: Enforce pod security standards (restricted, baseline, privileged)
• NetworkPolicy: Require network policies for all namespaces
• OPA Gatekeeper / Kyverno: Custom policy enforcement

Pod-Level Security

4. Run Containers as Non-Root

Never run containers as root. Set runAsNonRoot: true and specify a numeric user ID in your pod security context. Drop all Linux capabilities and only add the specific ones your application needs.

5. Use Read-Only Root Filesystem

Set readOnlyRootFilesystem: true in your security context. If your application needs to write temporary files, mount a writable emptyDir volume at the specific path needed.

6. Set Resource Limits

Always define CPU and memory limits for every container. Without limits, a single misbehaving container can consume all cluster resources (denial of service). Use LimitRange and ResourceQuota objects to enforce defaults at the namespace level.

Network Security

7. Implement Network Policies

By default, all pods can communicate with all other pods. Deploy a CNI plugin that supports network policies (Calico, Cilium) and create default-deny ingress and egress policies for every namespace. Then explicitly allow only the traffic flows your application requires.

8. Use Service Mesh for mTLS

Deploy a service mesh (Istio, Linkerd) to encrypt all pod-to-pod communication with mutual TLS. This provides zero-trust networking within your cluster without modifying application code.

Image Security

9. Scan Images in CI/CD

Scan container images for vulnerabilities before they enter your registry. Use Trivy, Grype, or Prisma Cloud. Block images with critical vulnerabilities from being deployed. Sign images with cosign and verify signatures at admission time.

10. Use Minimal Base Images

Start with distroless or scratch base images. Every unnecessary package in your image is a potential vulnerability. Alpine-based images are a good middle ground if you need a shell for debugging.

Runtime Security

11. Deploy Runtime Protection

Use Falco, Sysdig, or Prisma Cloud Defender to monitor container behavior at runtime. Alert on suspicious activities like unexpected process execution, file system changes, or network connections.

12. Enable Audit Logging

Configure Kubernetes audit logging to capture all API server requests. Send audit logs to your SIEM for analysis. Monitor for suspicious activities like secret access, RBAC changes, and pod exec sessions.

Kubernetes security is complex, but a hardened cluster is achievable with systematic effort. Explore our free Kubernetes and container security courses for hands-on practice with these techniques.

Kehinde Ogunlowo

Senior Multi-Cloud DevSecOps Architect & AI Engineer

11+ years at Fortune 500 companies including Cigna and Lockheed Martin. AWS/Azure/GCP certified. Founder of Citadel Cloud Management.