Module 06 · Kubernetes Security
Kubernetes Security Deep Dive
Kubernetes has become the de facto orchestration platform — and a high-value target. A misconfigured cluster is not a single compromised host; it is an entire environment exposed.
Eight critical domains every security team must understand to defend a K8s deployment.
Attack Surface
The K8s attack surface
API Server
Port 6443
The front door. Anonymous auth, exposed dashboards, and missing RBAC turn the API server into a remote code execution endpoint. Always require authn + authz.
etcd
Port 2379
The cluster brain. etcd stores all secrets, configs, and state in plaintext by default. Direct access = full cluster compromise. Encrypt at rest, restrict network access.
Kubelet
Port 10250
Node agent with exec capabilities. An unauthenticated kubelet API lets attackers run commands in any pod on that node. Disable anonymous auth.
Network
Pod-to-Pod
Flat networking by default. Every pod can talk to every other pod. No segmentation means lateral movement is trivial after initial access.
Tesla's 2018 cryptojacking incident started with an exposed Kubernetes dashboard — no authentication required.
RBAC
RBAC and service accounts
Role-Based Access Control is your primary authorization mechanism. Get it wrong and every pod becomes cluster-admin.
| Concept | Scope | Risk if misconfigured |
|---|
| ClusterRole | Cluster-wide | Wildcard verbs/resources = god mode |
| Role | Namespace | Over-permissive namespace access |
| ServiceAccount | Pod identity | Default SA with mounted token = lateral movement |
| RoleBinding | Namespace | Binding to wrong subjects |
automountServiceAccountToken: false — set this on every pod that does not need API access. The default service account token is mounted into every pod unless you explicitly opt out.
Use dedicated service accounts per workload. Never grant cluster-admin to application service accounts.
Pod Security
Pod Security Standards
Kubernetes replaced PodSecurityPolicy (removed in v1.25) with Pod Security Standards enforced via the built-in admission controller.
Privileged
Unrestricted
No restrictions. Root, hostNetwork, hostPID, any capabilities. Reserved for system-level workloads like CNI plugins and logging agents only.
Baseline
Minimally restrictive
Prevents known privilege escalations. Blocks hostNetwork, hostPID, privileged containers. Suitable for most common workloads.
Restricted
Hardened
Best practice. Must run as non-root, drop ALL capabilities, use read-only root filesystem. The target for all application pods.
Apply at namespace level: pod-security.kubernetes.io/enforce: restricted. Use warn/audit modes during migration to catch violations before enforcement.
Network Policies
Network segmentation in K8s
Without NetworkPolicy objects, Kubernetes networking is completely flat. Any pod can reach any other pod, any service, and often the cloud metadata endpoint.
Default Deny
Start with zero trust
Apply a default-deny ingress and egress policy to every namespace. Then explicitly allow only the traffic flows your application requires.
Namespace Isolation
Segment by environment
Production pods should never talk to dev. Use namespace labels and NetworkPolicies to enforce hard boundaries between environments.
Egress Controls
Limit outbound traffic
Block access to cloud metadata (169.254.169.254), restrict DNS to kube-dns only, and whitelist external endpoints. Prevents data exfiltration.
Service Mesh
mTLS everywhere
Istio, Linkerd, or Cilium provide mutual TLS between all pods. Encrypted pod-to-pod traffic and L7 policy enforcement beyond what NetworkPolicy supports.
Important: NetworkPolicy requires a CNI plugin that supports it (Calico, Cilium, Weave). Default kubenet does not enforce policies.
Secrets + Images
Secrets management and image security
Secrets
K8s secrets are not secret
Kubernetes Secrets are base64-encoded, not encrypted. Anyone with etcd access or get-secret RBAC can read them. Use external secrets operators (Vault, AWS Secrets Manager, SOPS) with CSI driver integration.
Image Scanning
Shift left on CVEs
Scan images in CI with Trivy, Grype, or Snyk. Block deployment of images with critical/high CVEs. Use minimal base images (distroless, Alpine) to reduce attack surface.
Admission Control
Policy as code
OPA/Gatekeeper or Kyverno enforce policies at admission time. Require image signatures, block latest tags, mandate resource limits, enforce labels.
Image Signing
Verify provenance
Sign images with Cosign (Sigstore). Admission controllers verify signatures before allowing deployment. Prevents tampered or unauthorized images from running.
Enable encryption at rest for etcd using an EncryptionConfiguration. This is not enabled by default on most distributions.
Runtime Security
Runtime detection and response
Prevention fails eventually. Runtime security tools detect anomalous behavior inside running containers — the last line of defense.
Falco
Syscall monitoring
CNCF project that monitors Linux syscalls via kernel module or eBPF. Detects shell spawns in containers, sensitive file reads, unexpected network connections. Write custom rules for your threat model.
eBPF
Kernel-level observability
Cilium Tetragon and other eBPF-based tools provide deep visibility without sidecar overhead. Enforce security policies at the kernel level with near-zero performance impact.
Seccomp + AppArmor
Syscall filtering
Restrict which syscalls a container can make. RuntimeDefault seccomp profile blocks ~44 dangerous syscalls. AppArmor/SELinux add mandatory access controls.
Detection rules to prioritize: shell spawned in container, sensitive file read (/etc/shadow, token files), unexpected outbound connections, and binary executed from /tmp.
Key Takeaway
CIS Kubernetes Benchmark
Remember this
The CIS Kubernetes Benchmark provides 200+ controls across master nodes, worker nodes, policies, and managed services. Run kube-bench to audit your cluster automatically.
Critical controls: disable anonymous API access, encrypt etcd at rest, enable audit logging, set Pod Security Standards to restricted, apply default-deny NetworkPolicies.
Kubernetes security is not a one-time setup. Clusters drift. Run automated compliance checks in CI/CD and alert on configuration changes.
Defense in depth: RBAC + Pod Security + Network Policies + Secrets Management + Runtime Detection. No single layer is sufficient.