Kubernetes Security Hardening: Complete Guide 2025

Attack Vectors in Default K8s

Over-privileged service accounts, exposed API server, privileged containers, secrets as plaintext ConfigMaps, missing network policies enabling lateral movement. CIS Kubernetes Benchmark addresses 200+ controls.

API Server Hardening

Disable insecure port: --insecure-port=0. Enable comprehensive audit logging for all API calls. Use RBAC authorization: --authorization-mode=RBAC. Enable admission controllers: NodeRestriction, PodSecurity, ValidatingAdmissionWebhook. Disable anonymous authentication: --anonymous-auth=false.

etcd Security

Encrypt etcd data at rest with --encryption-provider-config. Enforce TLS for all etcd communication. Restrict etcd access to API server only via firewall rules. Enable regular encrypted backups.

RBAC Least Privilege

Create namespaced Roles (not ClusterRoles) when possible. Avoid wildcard verbs or resources. Audit permissions regularly with kubectl auth can-i --list.

Example: a pod's service account should have a Role allowing only "get, list, watch" on only "pods, configmaps" within its specific namespace. Bind with RoleBinding scoped to that namespace.

Pod Security Standards

Replace deprecated PSP with Pod Security Admission. Label namespaces with pod-security.kubernetes.io/enforce: restricted. Restricted pods: run as non-root user/group, drop ALL capabilities, disallow privilege escalation, use RuntimeDefault seccomp, require read-only root filesystem.

Secrets Management

Never use ConfigMaps for sensitive data. Enable encryption at rest for etcd secrets. Integrate HashiCorp Vault via Vault Agent Injector: annotate pods with vault.hashicorp.com/agent-inject: "true" and vault.hashicorp.com/role specifying the Vault role. Secrets are injected as files into /vault/secrets/. Use Sealed Secrets for GitOps-safe encrypted secret storage.

Network Policies

Default deny-all policy in each namespace blocks all ingress and egress. Add specific allow policies: frontend to backend on port 8080, backend to database on port 5432, monitoring namespace to scrape metrics port. Use Cilium for L7 HTTP method/path-level policies.

Container Image Security

Scan in CI with Trivy (fail on CRITICAL). Sign images with cosign. Enforce signature verification with Kyverno admission controller. Use minimal base images (distroless or Alpine). Set runAsUser: 1000 and runAsNonRoot: true in SecurityContext.

Runtime Security with Falco

Falco detects: shell in container, sensitive file reads (/etc/passwd, /etc/shadow), privileged container execution, unexpected network connections, writes to binary directories. Custom rules: kubectl exec into production pods, unexpected process execution patterns, data exfiltration behaviors.

Incident Response

Compromise detected: isolate pod with deny-all NetworkPolicy, preserve logs and describe output as evidence, delete compromised pod (restarts clean), rotate all secrets the pod accessed, investigate root cause via Falco audit logs.

K8s security requires continuous monitoring, regular benchmark scans, and tracking upstream security advisories.