Skip to content

k8s cluster security best practices

1. Secure API Access

  • Use RBAC (Role-Based Access Control): Restrict permissions based on the principle of least privilege.
  • Disable Anonymous Access: Ensure all API requests are authenticated.
  • Enable Audit Logging: Monitor and log API activity to detect anomalies.
  • Use Network Policies: Restrict API access to trusted sources.

2. Secure Authentication & Authorization

  • Use Strong Authentication: Rely on an identity provider (OIDC, Active Directory, etc.).
  • Enable Multi-Factor Authentication (MFA): Strengthens access security.
  • Limit Service Account Permissions: Avoid giving service accounts excessive privileges.

3. Secure Cluster Networking

  • Use Network Policies: Restrict pod-to-pod communication based on necessity.
  • Enable Encryption in Transit: Use TLS for securing API server, ETCD, and service communications.
  • Restrict External Access: Expose only necessary services using Ingress controllers.

4. Protect ETCD Database

  • Enable Encryption at Rest: Encrypt sensitive data stored in ETCD.
  • Restrict Access to ETCD: Allow access only to the API server and use strong authentication.
  • Regular Backups: Ensure ETCD is backed up regularly and stored securely.

5. Secure Workloads & Pods

  • Use Pod Security Standards (PSS) or Pod Security Admission (PSA): Restrict privileges for pods.
  • Enable Seccomp and AppArmor: Use security profiles to limit system calls.
  • Avoid Running as Root: Use runAsUser and runAsNonRoot to enforce non-root execution.
  • Restrict Privileged Containers: Prevent containers from running with excessive privileges.

6. Secure Supply Chain & Image Security

  • Use Trusted Container Images: Always pull images from verified sources.
  • Sign and Verify Images: Use tools like Cosign or Docker Content Trust.
  • Scan Images for Vulnerabilities: Utilize tools like Trivy, Clair, or Anchore.
  • Restrict Image Registries: Allow deployments only from trusted registries.

7. Limit Resource Access

  • Enforce Resource Quotas & Limits: Prevent resource exhaustion by setting CPU/memory limits.
  • Use Admission Controllers: Enforce security policies before workloads are created.
  • Disable Default Service Account Auto-Mounting: Prevent unnecessary service account access.

8. Secure Logging & Monitoring

  • Use Security Information and Event Management (SIEM) Tools: Aggregate logs for real-time analysis.
  • Enable Kubernetes Audit Logs: Detect unauthorized API actions.
  • Monitor Containers and Nodes: Use Prometheus, Falco, or Sysdig for runtime security.

9. Protect Against Network Attacks

  • Enable CNI Plugins with Security Features: Calico, Cilium, or Antrea provide additional security.
  • Enforce Egress and Ingress Rules: Restrict network traffic using NetworkPolicies.
  • Use Service Mesh for Encryption: Istio or Linkerd provide mutual TLS for service-to-service communication.

10. Keep Kubernetes and Dependencies Updated

  • Regularly Patch and Upgrade Kubernetes: Stay up to date with the latest security patches.
  • Upgrade Third-Party Plugins & Dependencies: Keep Helm charts and other dependencies current.