← Back to Blog

Kubernetes Security: 10 Essential Practices

2025-09-256 min readDevOps Consultant

Kubernetes Security: 10 Essential Practices

Kubernetes security doesn't have to be overwhelming. In this guide, I'll share 10 essential practices that will significantly improve your cluster security - all battle-tested in production environments.

1. Use RBAC Properly

Role-Based Access Control is your first line of defense. Never use cluster-admin unless absolutely necessary.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: production
rules:
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["pods", "pods/log"]
  verbs: ["get", "list"]

Key principle: Grant minimum necessary permissions. Developers don't need to delete namespaces or modify cluster resources.

2. Enable Pod Security Standards

Replace deprecated Pod Security Policies with Pod Security Standards:

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

This prevents:

  • Running containers as root
  • Privileged containers
  • Host network/PID/IPC access
  • Dangerous volume types

3. Implement Network Policies

By default, all pods can talk to all pods. Lock this down:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: api-network-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

Result: API servers only accept traffic from frontend and only connect to databases.

4. Scan Images for Vulnerabilities

Integrate security scanning into your CI/CD:

# Using Trivy
trivy image --severity HIGH,CRITICAL myapp:latest

# Fail the build on high/critical vulnerabilities
trivy image --exit-code 1 --severity CRITICAL myapp:latest

Also use admission controllers like:

  • Kyverno - Block vulnerable images at deployment
  • OPA Gatekeeper - Enforce security policies

5. Secure Secrets Management

Never commit secrets to Git. Use one of these approaches:

External Secrets Operator

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: database-credentials
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: SecretStore
  target:
    name: db-secret
  data:
  - secretKey: password
    remoteRef:
      key: prod/database/password

Sealed Secrets

# Encrypt secret
kubeseal -f secret.yaml -w sealed-secret.yaml

# Commit sealed-secret.yaml to Git
# Controller decrypts in cluster

6. Limit Resource Usage

Prevent resource exhaustion attacks:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: namespace-quota
  namespace: production
spec:
  hard:
    requests.cpu: "10"
    requests.memory: 20Gi
    limits.cpu: "20"
    limits.memory: 40Gi
    persistentvolumeclaims: "5"

Also set limits on individual pods:

resources:
  requests:
    memory: "256Mi"
    cpu: "250m"
  limits:
    memory: "512Mi"
    cpu: "500m"

7. Enable Audit Logging

Track all API server activity:

apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
  resources:
  - group: ""
    resources: ["secrets", "configmaps"]
- level: RequestResponse
  verbs: ["create", "update", "patch", "delete"]
  resources:
  - group: ""
    resources: ["pods", "services"]

Send logs to centralized logging (CloudWatch, ELK, Splunk) for analysis.

8. Use Security Contexts

Configure pod and container security:

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL

This configuration:

  • Runs as non-root user
  • Prevents privilege escalation
  • Uses read-only filesystem
  • Drops all Linux capabilities

9. Implement Admission Controllers

Use admission webhooks to enforce policies:

# Kyverno policy example
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-labels
spec:
  validationFailureAction: enforce
  rules:
  - name: check-for-labels
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Labels 'app' and 'team' are required"
      pattern:
        metadata:
          labels:
            app: "?*"
            team: "?*"

Common use cases:

  • Require specific labels
  • Enforce image registries
  • Block privileged containers
  • Require resource limits

10. Keep Everything Updated

This seems obvious, but it's critical:

  • Kubernetes cluster: Stay within 2 minor versions of latest
  • Node OS: Regular security patches
  • Container images: Rebuild monthly minimum
  • Helm charts: Update dependencies regularly

Automate updates where possible:

# For managed Kubernetes (EKS example)
eksctl upgrade cluster --name=production --approve

# For node updates
# Use node groups with auto-update enabled

Real-World Impact

I recently conducted a security audit for a client running 50+ microservices on Kubernetes. Implementing these 10 practices:

  • Reduced attack surface by 70%
  • Blocked 12 vulnerable images from deployment
  • Prevented 3 production incidents (caught in pre-prod)
  • Passed SOC 2 audit on first attempt

The best part? Most of these are one-time setup with minimal ongoing maintenance.

Quick Security Checklist

Use this checklist for your clusters:

  • RBAC configured with least privilege
  • Pod Security Standards enforced
  • Network Policies in place
  • Image scanning in CI/CD
  • Secrets management solution deployed
  • Resource quotas and limits set
  • Audit logging enabled
  • Security contexts configured
  • Admission controller policies active
  • Update schedule established

Getting Started

Don't try to implement everything at once:

  1. Week 1: RBAC and Pod Security Standards
  2. Week 2: Network Policies for critical services
  3. Week 3: Image scanning and secrets management
  4. Week 4: Resource limits and security contexts
  5. Ongoing: Audit logging and updates

Conclusion

Kubernetes security isn't a one-time task - it's an ongoing practice. These 10 essentials will give you a solid foundation that blocks most common attack vectors.

Start with the basics, measure your progress, and continuously improve. Your production environment will thank you.

Need help securing your Kubernetes clusters? Book a security assessment today.

Subscribe for More

Get weekly DevOps tips and tutorials delivered to your inbox. No spam, ever.

Work With Me