Kubernetes Security Checklist: 15 Critical Controls by NCRYPTO

Kubernetes adoption is growing—but so are attacks targeting containerized environments. 65% of K8s deployments have critical security gaps (Red Hat, 2023). NCRYPTO’s security team has compiled this actionable checklist based on real-world breaches we’ve investigated.

Cluster Configuration Hardening

1. Authentication & Authorization

• Disable anonymous authentication

  kubectl get apiserver -o json | grep anonymous-auth  # Must return 'false'
  

• Enable RBAC with least privilege

  kubectl get clusterroles | grep -i admin  # Audit overly permissive roles
  

• Enforce namespace segregation (e.g., dev vs. prod)

2. Network Security

• Apply NetworkPolicies to restrict pod-to-pod traffic

  # Example: Deny all ingress by default
  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: default-deny
  spec:
    podSelector: {}
    policyTypes:
    - Ingress
  

• Encrypt etcd with TLS

• Disable dashboard public access if unused

3. Workload Protections

• Block privileged containers

  # In PodSecurityPolicy or OPA/Gatekeeper
  privileged: false
  

• Set resource limits to prevent DoS

  resources:
    limits:
      cpu: "1"
      memory: 512Mi
  

• Scan images for CVEs before deployment (Trivy/Clair)

Runtime Security

4. Monitoring & Detection

• Enable audit logging

  kubectl get auditpolicy  # Ensure covers 'metadata', 'requestResponse'
  

• Deploy runtime protection (Falco/Sysdig) to detect:

  • Shells in containers (kubectl exec abuse)
  • Cryptominer patterns
  • Writable hostPath mounts

5. Secrets Management

• Never store secrets in manifests

  grep -r "password|token" ./k8s/  # Find accidental exposures
  

• Use external secrets managers (Vault/Secrets Manager)

• Rotate service account tokens quarterly

Compliance & Governance

6. CIS Benchmark Enforcement

• Check kubelet arguments:

  ps -ef | grep kubelet | grep -E 'anonymous-auth|read-only-port'
  # Must include --anonymous-auth=false --read-only-port=0
  

• Enable PodSecurityPolicy/PSA (or OPA/Gatekeeper)

7. Backup & Recovery

• Test etcd backups monthly
• Validate disaster recovery with chaos engineering (e.g., kill random nodes)

Advanced Protections

8. Service Mesh Security (Istio/Linkerd)

• Enforce mTLS between services
• Apply service-level authorization

9. Supply Chain Security

• Sign container images (Cosign/Sigstore)
• Scan Helm charts for malicious templates

NCRYPTO’s Kubernetes Security Services

Beyond checklists, we offer:

✅ Automated K8s Hardening – Enforce controls via GitOps
✅ 24/7 Runtime Protection – Detect zero-day container escapes
✅ Compliance Reporting – Pre-built for PCI-DSS, HIPAA, SOC 2

📅 Free Cluster Assessment: Get a personalized risk report in 48 hours.