Kubernetes Security Hardening: A DevSecOps Engineer's Playbook
Kubernetes security isn't an afterthought—it should be built into every layer of your cluster from day one. After securing dozens of production K8s environments, here's my battle-tested approach to hardening clusters.
The Kubernetes Security Model Reality Check
Most organizations deploy Kubernetes with defaults that prioritize convenience over security. That's a mistake that will bite you later. Let's fix that from the ground up.
Security Layers in Kubernetes
Think of K8s security like an onion:
- Cluster Infrastructure (nodes, network, etcd)
- Kubernetes API (RBAC, admission controllers)
- Workload Security (pods, containers, images)
- Runtime Security (monitoring, incident response)
Cluster Infrastructure Hardening
Node Security Configuration
Start with hardened node images and proper configuration:
terminal
bash
# CIS Kubernetes Benchmark automated checks curl -sSL https://github.com/aquasecurity/kube-bench/releases/latest/download/kube-bench_linux_amd64.tar.gz | tar xz ./kube-bench --config-dir cfg/ --config cfg/config.yaml # Network security - disable unnecessary services systemctl disable --now cups systemctl disable --now bluetooth systemctl disable --now avahi-daemon # Kernel hardening echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf echo 'net.bridge.bridge-nf-call-iptables = 1' >> /etc/sysctl.conf echo 'kernel.kptr_restrict = 2' >> /etc/sysctl.conf sysctl -p
etcd Security Best Practices
Protect the brain of your cluster:
yaml
yaml
# etcd TLS configuration apiVersion: v1 kind: Pod metadata: name: etcd spec: containers: - name: etcd image: k8s.gcr.io/etcd:3.5.1-0 command: - etcd - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --key-file=/etc/kubernetes/pki/etcd/server.key - --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --client-cert-auth=true - --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt - --peer-key-file=/etc/kubernetes/pki/etcd/peer.key - --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt - --peer-client-cert-auth=true - --auto-tls=false - --peer-auto-tls=false
API Server Hardening
Robust RBAC Configuration
Implement least privilege access from day one:
yaml
yaml
# Example: Developer role with limited permissions apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: development name: developer rules: - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods/exec", "pods/portforward"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: developer-binding namespace: development subjects: - kind: User name: jane.developer apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: developer apiGroup: rbac.authorization.k8s.io
Admission Controllers Configuration
Enable security-focused admission controllers:
yaml
yaml
# API server configuration apiVersion: v1 kind: Pod metadata: name: kube-apiserver spec: containers: - name: kube-apiserver image: k8s.gcr.io/kube-apiserver:v1.28.0 command: - kube-apiserver - --enable-admission-plugins=NodeRestriction,ResourceQuota,LimitRanger,SecurityContextDeny,PodSecurityPolicy,AlwaysPullImages - --audit-log-path=/var/log/audit.log - --audit-log-maxage=30 - --audit-log-maxbackup=10 - --audit-log-maxsize=100 - --audit-policy-file=/etc/kubernetes/audit-policy.yaml
Comprehensive Audit Policy
Track everything that matters:
yaml
yaml
# /etc/kubernetes/audit-policy.yaml apiVersion: audit.k8s.io/v1 kind: Policy rules: # Log all security-sensitive operations at Metadata level - level: Metadata namespaces: ["kube-system", "kube-public"] verbs: ["create", "update", "patch", "delete"] # Log all secret operations - level: RequestResponse resources: - group: "" resources: ["secrets"] # Log RBAC changes - level: RequestResponse resources: - group: "rbac.authorization.k8s.io" # Log pod exec and portforward - level: Request resources: - group: "" resources: ["pods/exec", "pods/portforward"] # Log everything else at Metadata level - level: Metadata omitStages: - RequestReceived
Pod Security Standards Implementation
Replace deprecated PodSecurityPolicy with Pod Security Standards:
yaml
yaml
# Namespace with restricted security profile apiVersion: v1 kind: Namespace metadata: name: production labels: pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/warn: restricted
Secure Pod Configuration Template
yaml
yaml
apiVersion: v1 kind: Pod metadata: name: secure-app spec: securityContext: runAsNonRoot: true runAsUser: 10001 runAsGroup: 10001 fsGroup: 10001 seccompProfile: type: RuntimeDefault containers: - name: app image: myapp:v1.0.0 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 capabilities: drop: - ALL resources: requests: memory: "64Mi" cpu: "250m" limits: memory: "128Mi" cpu: "500m" volumeMounts: - name: tmp mountPath: /tmp - name: cache mountPath: /app/cache volumes: - name: tmp emptyDir: {} - name: cache emptyDir: {}
Network Security Implementation
NetworkPolicies for Microsegmentation
Implement zero-trust networking:
yaml
yaml
# Default deny-all policy apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny-all namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress --- # Allow specific communication patterns apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: web-to-api namespace: production spec: podSelector: matchLabels: app: api-server policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: web-frontend ports: - protocol: TCP port: 8080
Service Mesh Security with Istio
Implement mTLS and fine-grained access control:
yaml
yaml
# Enable strict mTLS apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: production spec: mtls: mode: STRICT --- # Authorization policy apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: api-access namespace: production spec: selector: matchLabels: app: api-server action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/production/sa/web-frontend"] - to: - operation: methods: ["GET", "POST"] paths: ["/api/v1/*"]
Container and Image Security
Image Security Scanning Pipeline
Integrate security scanning into your CI/CD:
terminal
bash
#!/bin/bash # Image security scanning script IMAGE_NAME=$1 SEVERITY_THRESHOLD="HIGH" # Trivy scanning trivy image --severity ${SEVERITY_THRESHOLD},CRITICAL --exit-code 1 ${IMAGE_NAME} if [ $? -ne 0 ]; then echo "Image failed security scan with ${SEVERITY_THRESHOLD} or CRITICAL vulnerabilities" exit 1 fi # Cosign image signing verification cosign verify --key cosign.pub ${IMAGE_NAME} if [ $? -ne 0 ]; then echo "Image signature verification failed" exit 1 fi echo "Image passed security checks"
Distroless Container Best Practices
Use minimal base images:
dockerfile
dockerfile
# Multi-stage build with distroless final image FROM golang:1.19-alpine AS builder WORKDIR /app COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o main . FROM gcr.io/distroless/static-debian11 COPY --from=builder /app/main / EXPOSE 8080 USER 10001 ENTRYPOINT ["/main"]
Runtime Security Monitoring
Falco Rules for Runtime Threat Detection
Deploy Falco for runtime security monitoring:
yaml
yaml
# Custom Falco rules - rule: Unexpected K8s NodePort Connection desc: Detect attempts to connect to K8s NodePort services condition: > (inbound_outbound) and fd.sport >= 30000 and fd.sport <= 32767 and not proc.name in (kube-proxy, kubelet) output: > Unexpected K8s NodePort connection (connection=%fd.name sport=%fd.sport dport=%fd.dport proc=%proc.name command=%proc.cmdline) priority: WARNING - rule: Detect crypto mining desc: Detect cryptocurrency mining activities condition: > spawned_process and (proc.name in (xmrig, minergate, ccminer, cgminer) or proc.cmdline contains "stratum+tcp" or proc.cmdline contains "mining.pool") output: > Crypto mining process detected (user=%user.name command=%proc.cmdline) priority: CRITICAL
OPA Gatekeeper Policies
Implement policy-as-code with Gatekeeper:
yaml
yaml
# Require security context apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8srequiredsecuritycontext spec: crd: spec: names: kind: K8sRequiredSecurityContext validation: openAPIV3Schema: type: object targets: - target: admission.k8s.gatekeeper.sh rego: | package k8srequiredsecuritycontext violation[{"msg": msg}] { container := input.review.object.spec.containers[_] not container.securityContext.runAsNonRoot msg := "Container must run as non-root user" } violation[{"msg": msg}] { container := input.review.object.spec.containers[_] container.securityContext.allowPrivilegeEscalation != false msg := "Container must not allow privilege escalation" } --- apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRequiredSecurityContext metadata: name: must-have-security-context spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: ["production", "staging"]
Secrets Management Strategy
External Secrets Operator Configuration
Never store secrets in etcd:
yaml
yaml
# External Secrets Operator with AWS Secrets Manager apiVersion: external-secrets.io/v1beta1 kind: SecretStore metadata: name: aws-secrets-manager namespace: production spec: provider: aws: service: SecretsManager region: us-west-2 auth: secretRef: accessKeyID: name: awssm-secret key: access-key secretAccessKey: name: awssm-secret key: secret-access-key --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: database-credentials namespace: production spec: refreshInterval: 15s secretStoreRef: name: aws-secrets-manager kind: SecretStore target: name: db-credentials creationPolicy: Owner data: - secretKey: username remoteRef: key: prod/database property: username - secretKey: password remoteRef: key: prod/database property: password
Automated Security Testing
Kubernetes Security Testing Script
python
python
#!/usr/bin/env python3 """ Kubernetes Security Assessment Script """ import subprocess import json import sys from typing import List, Dict class K8sSecurityChecker: def __init__(self): self.results = [] def run_kube_bench(self) -> Dict: """Run CIS Kubernetes Benchmark checks""" try: result = subprocess.run( ['kube-bench', '--json'], capture_output=True, text=True, check=True ) return json.loads(result.stdout) except subprocess.CalledProcessError: return {"error": "kube-bench failed"} def check_rbac_permissions(self) -> List[Dict]: """Check for overly permissive RBAC""" dangerous_permissions = [] # Check for cluster-admin bindings try: result = subprocess.run([ 'kubectl', 'get', 'clusterrolebindings', '-o', 'json' ], capture_output=True, text=True, check=True) bindings = json.loads(result.stdout) for binding in bindings['items']: if binding['roleRef']['name'] == 'cluster-admin': dangerous_permissions.append({ 'type': 'cluster-admin-binding', 'name': binding['metadata']['name'], 'subjects': binding.get('subjects', []) }) except subprocess.CalledProcessError: pass return dangerous_permissions def check_pod_security_standards(self) -> List[Dict]: """Check Pod Security Standards compliance""" violations = [] try: result = subprocess.run([ 'kubectl', 'get', 'pods', '--all-namespaces', '-o', 'json' ], capture_output=True, text=True, check=True) pods = json.loads(result.stdout) for pod in pods['items']: issues = self._analyze_pod_security(pod) if issues: violations.append({ 'pod': f"{pod['metadata']['namespace']}/{pod['metadata']['name']}", 'issues': issues }) except subprocess.CalledProcessError: pass return violations def _analyze_pod_security(self, pod: Dict) -> List[str]: """Analyze individual pod for security issues""" issues = [] spec = pod.get('spec', {}) # Check if running as root if not spec.get('securityContext', {}).get('runAsNonRoot'): issues.append("Pod may be running as root") # Check containers for container in spec.get('containers', []): sec_ctx = container.get('securityContext', {}) if sec_ctx.get('privileged'): issues.append(f"Container {container['name']} is privileged") if sec_ctx.get('allowPrivilegeEscalation', True): issues.append(f"Container {container['name']} allows privilege escalation") return issues def generate_report(self) -> str: """Generate comprehensive security report""" print("Running Kubernetes Security Assessment...") # Run checks cis_results = self.run_kube_bench() rbac_issues = self.check_rbac_permissions() pod_violations = self.check_pod_security_standards() report = f""" Kubernetes Security Assessment Report ===================================== CIS Benchmark Results: {json.dumps(cis_results, indent=2)} RBAC Issues Found: {len(rbac_issues)} {json.dumps(rbac_issues, indent=2)} Pod Security Violations: {len(pod_violations)} {json.dumps(pod_violations, indent=2)} Recommendations: - Review and remediate CIS benchmark failures - Implement least-privilege RBAC policies - Enable Pod Security Standards - Regular security scanning and monitoring """ return report if __name__ == "__main__": checker = K8sSecurityChecker() report = checker.generate_report() print(report) # Exit with error if critical issues found if "FAIL" in report or "privileged" in report: sys.exit(1)
Production Deployment Checklist
Pre-Deployment Security Validation
terminal
bash
#!/bin/bash # Pre-deployment security checklist echo "🔒 Running Kubernetes Security Pre-Deployment Checks..." # 1. Check for security contexts kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.securityContext.runAsNonRoot}{"\n"}{end}' | grep -v "true" # 2. Validate network policies exist kubectl get networkpolicies --all-namespaces # 3. Check for resource limits kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[*].resources.limits}{"\n"}{end}' | grep -v "map" # 4. Verify image signatures for image in $(kubectl get pods --all-namespaces -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort -u); do echo "Checking signature for $image" cosign verify --key cosign.pub $image || echo "❌ No valid signature for $image" done # 5. Run security policy checks gatekeeper-policy-manager audit echo "✅ Security checks completed"
Monitoring and Incident Response
Security Metrics to Track
yaml
yaml
# Prometheus monitoring rules groups: - name: kubernetes-security rules: - alert: UnauthorizedAPIAccess expr: increase(apiserver_audit_total{verb="create",objectRef_resource="pods/exec"}[5m]) > 0 labels: severity: critical annotations: summary: "Unauthorized pod exec detected" - alert: PrivilegedPodCreated expr: increase(kube_pod_container_info{container_security_context_privileged="true"}[5m]) > 0 labels: severity: high annotations: summary: "Privileged pod created" - alert: FailedRBACCheck expr: increase(apiserver_audit_total{verb="create",objectRef_resource="rolebindings",response_code!~"2.."}[5m]) > 3 labels: severity: warning annotations: summary: "Multiple failed RBAC operations detected"
Wrapping Up
Kubernetes security isn't a one-time setup—it's an ongoing process. Start with these fundamentals:
- Harden the infrastructure before deploying workloads
- Implement defense in depth across all layers
- Automate security testing in your CI/CD pipeline
- Monitor continuously and respond quickly to threats
- Keep learning as the threat landscape evolves
Remember: security is a journey, not a destination. The key is building security into your processes from the beginning rather than bolting it on later.
Looking for more DevSecOps insights? Subscribe to my newsletter for weekly deep-dives into cloud security, automation, and real-world war stories from the trenches.