8 Best Practices to Improve Kubernetes Security

Tony Loehr
Developer Advocate

Kubernetes is a powerful tool allowing for orchestration of containerized services, applications, and workloads.
While Kubernetes has become widely deployed in the last several years, security has lagged behind and best practices are only beginning to coalesce now.

According to a 2021 Red Hat survey, 55% of respondents have had to delay deploying a Kubernetes application into production due to security concerns; nearly a third of such security concerns even occurred during runtime.

Even more notable is that 94% of respondents experienced one or more security incidents within their Kubernetes environments–nearly every respondent to the survey had recently experienced a Kubernetes security incident.

This is clear evidence that more guidance is needed to help prevent such security vulnerabilities. While not intended to be comprehensive, we present 8 tips and tricks to level up the security of your Kubernetes cluster. 

1. Use Version Control For Configuration Files Related To Deployment And Services

Using version control allows for the implementation of change approval processes as a means of improving the cluster’s stability and security.
This also provides a convenient log of who made changes, catalyzing communication by making it easier to reach out to editors and determine why changes were made. Even in blameless cultures, there are benefits to encouraging these conversations including the catalyzing of knowledge transfer.

Nearly 59% of respondents to a Redhat survey stated that they had detected a misconfiguration on their Kubernetes environments within the last 12 months. Utilizing pre-commit hooks to check for misconfiguration allows for best practices for infrastructure as code to be enforced, preventing misconfigurations or other vulnerability-inducing components such as hard coded secrets from being checked into a repository; these protections are provided by branch protection rules. This helps adhere to the overreaching best practice of shifting security testing left by making security checks a part of a developer’s workflow within PRs.

2. Consider Isolating Kubernetes Code From Feature Code In Dedicated Repositories

n organizations where DevOps and Development are distinct roles, unique repositories for each Kubernetes and feature code can be a key measure to help separate duties for security and compliance purposes.
However, the best placement for Kubernetes declaration files and dockerfiles depends on the specific needs of the organization.

This discussion is further parsed in a final note below. Helm is a popular package manager for Kubernetes that describes resources in a template referred to as charts. Such package managers make it significantly easier to template and version a complex K8 application, thus working well with source control management systems.