Kubernetes Security Checklist 2026

About This Checklist

This is a practitioner’s checklist — not a compliance document. It covers the security controls that actually prevent breaches in production Kubernetes clusters, ordered by impact.

Use it as a gap analysis tool: go through each section, mark what you’ve implemented, and prioritize what you haven’t.

Cluster Configuration

API Server

• API server not publicly accessible — Use private endpoint or restrict to known IPs. The Kubernetes API is the highest-value target.
• Audit logging enabled — Log all API requests (at minimum: metadata level for reads, request level for writes).
• Anonymous auth disabled — --anonymous-auth=false unless you specifically need unauthenticated health checks.
• RBAC enabled — Default in modern clusters, but verify. --authorization-mode=RBAC.
• Admission controllers active — At minimum: NodeRestriction, PodSecurity. Consider AlwaysPullImages for production.

etcd

• Encrypted at rest — etcd stores all cluster state including secrets. Enable encryption at rest with a KMS provider.
• Not accessible from worker nodes — etcd should only accept connections from API servers.
• mTLS between etcd peers — All etcd communication uses mutual TLS.

Kubelet

• Anonymous auth disabled — --anonymous-auth=false on all kubelets.
• Webhook authorization — --authorization-mode=Webhook so API server authorizes kubelet requests.
• Read-only port disabled — --read-only-port=0. The read-only port (10255) exposes pod info without auth.

RBAC and Identity

Principles

• No cluster-admin bindings for service accounts — If a pod is compromised, cluster-admin means game over.
• Namespace-scoped roles by default — Use Role and RoleBinding, not ClusterRole and ClusterRoleBinding, unless cross-namespace access is truly needed.
• No wildcard permissions — resources: ["*"] and verbs: ["*"] are effectively admin. Be specific.
• Service account tokens not auto-mounted — Set automountServiceAccountToken: false on pods that don’t need API access (most don’t).

Audit

• Inventory all ClusterRoleBindings — kubectl get clusterrolebindings -o wide. Review who/what has cluster-level permissions.
• Inventory service accounts with secrets access — Pods that can read secrets in any namespace are high-risk.
• Remove default service account permissions — The default service account in each namespace shouldn’t have any role bindings.

Pod Security

Pod Security Standards

• Enforce Restricted profile — For production namespaces, enforce the restricted Pod Security Standard. This prevents privileged containers, host namespaces, and dangerous capabilities.
• Baseline for system workloads — Use baseline profile for namespaces running infrastructure (monitoring, logging) that needs some elevated access.
• Warn mode for migration — Use warn enforcement initially to discover violations without breaking workloads.

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/warn: restricted

Container Security Context

• Run as non-root — runAsNonRoot: true and specify a numeric runAsUser.
• Read-only root filesystem — readOnlyRootFilesystem: true. Write to mounted volumes only.
• Drop all capabilities — capabilities: { drop: ["ALL"] }. Add back only what’s specifically needed.
• No privilege escalation — allowPrivilegeEscalation: false.
• Seccomp profile — Apply RuntimeDefault seccomp profile to restrict syscalls.

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]
  seccompProfile:
    type: RuntimeDefault

Network Policies

• Default deny all ingress — Start with deny-all, then explicitly allow needed communication.
• Default deny all egress — Prevents compromised pods from reaching the internet or other internal services.
• Allow only necessary pod-to-pod communication — Frontend → backend → database. Not frontend → database.
• DNS egress allowed — Pods need to reach kube-dns (port 53). Don’t accidentally block DNS.
• Restrict egress to specific external endpoints — If a pod needs to reach an external API, allow that specific IP/CIDR only.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress

Secrets Management

• External secrets manager — Use AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or similar. Don’t rely solely on Kubernetes secrets (base64 is not encryption).
• etcd encryption — If using native K8s secrets, encryption at rest is mandatory. Verify with kubectl get --raw /apis/encryption.
• No secrets in environment variables — Mount as files instead. Environment variables appear in process listings and crash dumps.
• No secrets in container images — Secrets baked into images persist in registry history forever.
• RBAC restricts secret access — Only pods that need a secret should have RBAC to read it. Audit with: kubectl auth can-i get secrets --as=system:serviceaccount:namespace:sa-name.

Supply Chain Security

Image Security

• Private registry — Pull production images from your own registry, not public Docker Hub.
• Image scanning — Scan images for known CVEs before deployment. Block critical/high severity.
• Image signing — Sign images and verify signatures at admission (Cosign + policy engine).
• No latest tag — Pin to specific image digests or version tags. latest is mutable and unpredictable.
• Minimal base images — Use distroless or Alpine. Fewer packages = fewer vulnerabilities = smaller attack surface.

Admission Control

• Image allowlist — Only permit images from approved registries (policy engine or ValidatingWebhook).
• Vulnerability threshold — Block deployment of images with critical CVEs.
• Resource limits required — Prevent resource exhaustion (CPU/memory bombs).

Monitoring and Runtime Security

• Container runtime monitoring — Detect unexpected processes, file access, network connections at runtime (Falco, Tetragon, or cloud-native equivalent).
• API audit logs shipped to SIEM — Kubernetes audit logs are your primary detection source for cluster attacks.
• Alert on privilege escalation attempts — New ClusterRoleBindings, exec into pods, secret access from unexpected service accounts.
• Alert on anomalous network traffic — Pods communicating with unexpected destinations.
• Node integrity monitoring — Detect unauthorized changes to node configurations.

Ingress and Service Exposure

• TLS termination at ingress — All external traffic encrypted. No plaintext HTTP in production.
• No NodePort services in production — Use LoadBalancer or Ingress. NodePort exposes on every node’s IP.
• WAF in front of ingress — Web Application Firewall for internet-facing services.
• Rate limiting — At ingress controller level, not just application level.
• No services with type: LoadBalancer unless intentional — Each one gets a public IP. Review all LoadBalancer services: kubectl get svc -A --field-selector spec.type=LoadBalancer.

Multi-Tenancy

If running multiple teams/applications on one cluster:

• Namespace isolation — Each team/application in its own namespace.
• Network policies between namespaces — Default deny cross-namespace traffic.
• Resource quotas per namespace — Prevent one team from exhausting cluster resources.
• Separate service accounts per workload — Not one SA per namespace shared across deployments.

Automated Scanning with Kloudle

Manually checking these items across multiple clusters doesn’t scale. Kloudle runs 140+ Kubernetes-specific checks covering:

• RBAC analysis (overprivileged roles, cluster-admin bindings)
• Pod security context validation
• Network policy coverage
• Secret management practices
• Container security configurations
• Ingress and service exposure

Scans run on schedule and surface findings with specific remediation steps.

Scan Your Kubernetes Clusters → | Learn About Sovereign CSPM →