Security Best Practices

Kubernetes Security Best Practices

A comprehensive guide to securing Kubernetes clusters in production. Learn RBAC, network policies, pod security standards, secrets management, and CIS benchmark compliance.

Read Guide

Table of Contents

1.Role-Based Access Control (RBAC)2.Network Policies3.Pod Security Standards4.Secrets Management5.Admission Controllers6.Audit & Monitoring
Section 1

Role-Based Access Control (RBAC)

Implement least-privilege access with Kubernetes RBAC

  • Use namespaced Roles instead of ClusterRoles when possible
  • Avoid wildcards (*) in role permissions - be explicit about resources and verbs
  • Create separate service accounts for each application
  • Regularly audit ClusterRoleBindings for overly permissive access
  • Implement group-based access rather than individual user bindings
  • Use RoleBindings to limit scope of administrative access
Section 2

Network Policies

Secure pod-to-pod and external communication

  • Implement a default deny-all ingress and egress policy per namespace
  • Allow only required pod-to-pod communication with explicit policies
  • Use labels consistently to define network policy selectors
  • Restrict egress to specific external endpoints and ports
  • Monitor and alert on network policy violations
  • Test network policies in staging before production deployment
Section 3

Pod Security Standards

Enforce container security contexts and restrictions

  • Enable Pod Security Admission in enforce mode for all namespaces
  • Use "restricted" PSS profile for production workloads
  • Set runAsNonRoot: true in security contexts
  • Enable readOnlyRootFilesystem when possible
  • Drop all capabilities and add only those needed
  • Disable privilege escalation with allowPrivilegeEscalation: false
  • Set seccompProfile to RuntimeDefault or Localhost
Section 4

Secrets Management

Securely store and manage sensitive data

  • Enable encryption at rest for Kubernetes secrets
  • Use external secrets managers (Vault, AWS Secrets Manager, etc.)
  • Implement secrets rotation policies
  • Avoid mounting secrets as environment variables when possible
  • Use RBAC to restrict secret access by namespace
  • Audit secret access in API server audit logs
  • Never commit secrets to version control
Section 5

Admission Controllers

Validate and mutate resources before deployment

  • Enable all recommended admission controllers
  • Use ValidatingWebhookConfiguration for custom policies
  • Implement image allowlisting with OPA/Gatekeeper
  • Enforce resource limits on all pods
  • Block privileged containers via admission control
  • Validate labels and annotations for governance
Section 6

Audit & Monitoring

Track and alert on security-relevant events

  • Enable Kubernetes audit logging at Metadata or Request level
  • Forward audit logs to centralized SIEM
  • Alert on suspicious API calls (exec into pods, secret access)
  • Monitor for RBAC changes and new ClusterRoleBindings
  • Track container image changes in production namespaces
  • Implement runtime security monitoring with eBPF

Automate Kubernetes Security

TigerGate KSPM automatically scans your clusters for 83+ CIS Benchmark checks and provides remediation guidance.

Start Free TrialLearn About KSPM

Related Security Guides

Container Security

Image scanning, runtime protection, and vulnerability management.

Cloud Security Posture

AWS, Azure, GCP security configurations and best practices.

Compliance Automation

SOC 2, ISO 27001, and PCI-DSS automation strategies.