Kubernetes Security Must Practices

Kubernetes Security Must Practices

You know there are tons of content on Kubernetes Security Best practices, the moment it is conceived as 'Best practices' many bracket it inside optional or nice to have.

In fact, there are MUST Practices which, when missed, create a lot of unnecessary mess.

On a lighter note, if there were a kind of CAPTCHA that would stop someone from starting Kubernetes unless these must haves are available, that would be awesome, wouldn’t it?

1. RBAC Configured

Missing this?

Any service account could have excessive permissions, making privilege escalation trivial.

Define granular roles, bind only required permissions, and audit with kubectl auth can-i

Regularly check misconfigurations using kubectl get rolebindings, clusterrolebindings --all-namespaces.

2. Rate Limiting

Missing this?

A misconfigured automation script or rogue user can overwhelm your API server, leading to downtime or DoS attacks.

Use API Priority and Fairness to control API request rates.

Set limits in your Ingress/Nginx using limit_req to throttle excessive requests.

3. Encryption

Missing this?

Secrets in etcd are stored in plaintext by default, making them an easy target if etcd is compromised.

Enable encryption at rest using encryption-config.yaml and enforce TLS for all cluster communication.

Ensure KMS or an external vault manages encryption keys.

4. Ephemeral Containers

Missing this?

Debugging with kubectl exec often requires privileged access, increasing security risks.

Use kubectl debug to spawn ephemeral containers without modifying running workloads.

Restrict exec access using RBAC to avoid unnecessary privilege escalations.

5. Probes (Liveness, Readiness, Startup)

Missing this?

Kubernetes won’t know when your app is unhealthy, leading to stale or failing services staying alive.

Implement readiness and liveness probes in your Deployment manifests to restart failed apps and control traffic flow.

Regularly test probe behavior before deployments.

6. Namespace Isolation

Missing this?

Without isolation, workloads can interact freely, increasing the attack surface.

Use namespaces per team or application and enforce network policies (NetworkPolicy) to restrict pod-to-pod communication across namespaces.

Ensure RBAC policies are scoped at the namespace level.

7. PodDisruptionBudget (PDB)

Missing this?

Node drains can evict all replicas of a critical application, leading to downtime.

Define PDBs to maintain minimum available pods during voluntary disruptions (minAvailable or maxUnavailable).

Validate using kubectl describe pdb <your-app>.

8. Approved Images

Missing this?

Pulling unverified images exposes your cluster to supply chain attacks.

Implement image signing and verification using Cosign.

Enforce registry restrictions via ImagePolicyWebhook or Kyverno policies.

Use tools like Trivy to scan images before deployment.

Not following these MUST Practices isn’t just bad hygiene - it’s a security risk.

Set them up, enforce them, and audit them regularly.