Skip to main content
DevSecOps

Kubernetes Security Best Practices for Production Workloads

Mohakdeep Singh|April 20, 2025|10 min read
Kubernetes Security Best Practices for Production Workloads

Kubernetes Security Is Not Optional

Kubernetes adoption is accelerating across Indian enterprises, from fintech to e-commerce to healthcare. But too often, security is treated as an afterthought -- clusters are deployed with default configurations that leave critical workloads exposed.

A misconfigured Kubernetes cluster is not just a security risk. It is a compliance liability, especially under DPDPA requirements for reasonable security safeguards. This guide covers the security practices that should be in place before any production workload touches your cluster.

Pod Security Standards

Kubernetes Pod Security Standards define three profiles that control what pods are allowed to do.

Restricted Profile (Recommended for Production)

The most secure profile. Pods must: - Run as non-root user - Use read-only root filesystem - Drop all Linux capabilities - Disallow privilege escalation - Disallow host namespace sharing (hostPID, hostIPC, hostNetwork)

Baseline Profile (Minimum for Any Environment)

Prevents known privilege escalations while being less restrictive: - No privileged containers - No hostPath volumes - No host networking or ports - Restricted volume types

Implementation

Enable Pod Security admission at the namespace level: - Production namespaces: Enforce the Restricted profile - Development namespaces: Enforce the Baseline profile, warn on Restricted violations - System namespaces: Apply appropriate exceptions for cluster components

Network Policies

By default, Kubernetes allows all pods to communicate with all other pods. This is convenient for development but dangerous in production.

Default-Deny Ingress

Start by denying all ingress traffic to every namespace, then explicitly allow what is needed: - API pods receive traffic only from the ingress controller - Database pods receive traffic only from their application pods - Internal services communicate only with known peers

Namespace Isolation

Use network policies to isolate namespaces: - Production workloads cannot communicate with development namespaces - Each team's namespace is isolated from other teams - Shared services (DNS, monitoring) are accessible from all namespaces via explicit policies

Egress Control

Limit outbound traffic to prevent data exfiltration: - Allow DNS resolution (port 53) to the cluster DNS service - Allow HTTPS (port 443) to specific external services - Block all other egress by default

RBAC and Service Accounts

Least Privilege Roles

  • Create custom roles with minimum required permissions for each team and service
  • Never use cluster-admin for application workloads
  • Separate read-only roles (for dashboards and monitoring) from write roles (for deployments)
  • Audit RBAC bindings quarterly and remove stale entries

Service Account Best Practices

  • Create dedicated service accounts for each application (do not use the default)
  • Disable automatic token mounting (automountServiceAccountToken: false) on service accounts that do not need API access
  • Use short-lived tokens via the TokenRequest API instead of long-lived secrets
  • Bind service accounts to minimal roles

Human Access

  • Integrate Kubernetes authentication with your SSO provider (OIDC)
  • Enforce MFA for cluster access
  • Use just-in-time access for production cluster modifications
  • Audit all kubectl commands via API server audit logging

Image Security

Trusted Base Images

  • Use minimal base images (distroless, Alpine) to reduce attack surface
  • Pin image tags to specific digests, not mutable tags like latest
  • Maintain a curated list of approved base images
  • Rebuild images regularly to pick up security patches

Vulnerability Scanning

Scan images at every stage: - Build time: Scan in CI/CD pipeline using Trivy, Snyk, or Grype - Registry: Enable automatic scanning in your container registry (ECR, ACR, GCR) - Runtime: Deploy admission controllers that block images with critical vulnerabilities - Continuous: Re-scan running images weekly to catch newly disclosed CVEs

Image Signing

  • Sign images using Cosign (Sigstore project) or Notary
  • Deploy admission controllers (Kyverno, OPA Gatekeeper) that verify signatures before allowing deployment
  • Reject unsigned images in production namespaces

Runtime Security

Seccomp and AppArmor

  • Apply seccomp profiles to restrict system calls available to containers
  • Use the RuntimeDefault seccomp profile as a minimum
  • Build custom seccomp profiles for sensitive workloads based on their actual system call usage
  • Enable AppArmor profiles where supported

Read-Only Root Filesystem

  • Mount container root filesystems as read-only
  • Use emptyDir volumes for temporary files
  • This prevents attackers from modifying container binaries or installing tools

Runtime Threat Detection

Deploy runtime security monitoring: - Falco: Detects anomalous system calls, file access, and network connections in real-time - Alert on: shell execution in containers, unexpected outbound connections, file modifications in sensitive directories - Integrate alerts with your SIEM or incident response workflow

Secrets Management

Never Store Secrets in Images or Environment Variables

  • Use Kubernetes Secrets with encryption at rest enabled
  • Better: Use external secret stores (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
  • Deploy the External Secrets Operator to sync external secrets into Kubernetes

Secret Rotation

  • Implement automated secret rotation
  • Use short-lived credentials where possible (IAM roles for service accounts, temporary database credentials)
  • Audit secret access patterns and alert on unusual retrieval

Security Monitoring and Audit

API Server Audit Logging

Enable audit logging to capture: - Who accessed what resources and when - All changes to RBAC bindings and cluster configurations - Failed authentication attempts - Resource creation and deletion events

Cluster Hardening Validation

Regularly validate your cluster security posture: - Run CIS Kubernetes Benchmark checks using kube-bench - Use Polaris or Datree for workload configuration validation - Automate these checks in CI/CD and as periodic cluster scans

Getting Started

Security is not a one-time project. Start with these high-impact items:

  1. Day 1: Enable Pod Security Standards (Restricted for prod, Baseline for dev)
  2. Week 1: Implement default-deny network policies in production namespaces
  3. Week 2: Audit and tighten RBAC bindings, disable default service account tokens
  4. Week 3: Add image vulnerability scanning to your CI/CD pipeline
  5. Week 4: Deploy Falco for runtime threat detection

Supply Chain Security for Kubernetes Workloads

Kubernetes security does not stop at the cluster boundary. The software supply chain -- from source code to container registry to production pod -- is increasingly targeted by sophisticated attackers. Enterprises in regulated industries across the USA, Europe, and the Middle East must treat supply chain integrity as a first-class security concern.

Signing and Verification at Every Stage

Implement a chain of trust that covers the entire delivery pipeline:

  • Source code: Require signed commits using GPG or SSH keys for all contributors
  • Build artifacts: Sign container images immediately after build using Cosign from the Sigstore project
  • Deployment manifests: Store Kubernetes manifests in Git with branch protection rules and mandatory code review
  • Admission enforcement: Use Kyverno or OPA Gatekeeper policies to reject any image that lacks a valid signature in production namespaces

This chain ensures that what runs in production is exactly what your team built and reviewed -- nothing more, nothing less.

Software Bill of Materials (SBOM)

Generating and storing SBOMs for every container image is becoming a compliance requirement, not just a best practice. An SBOM documents every package and dependency inside your image, which enables:

  • Rapid response when new CVEs are disclosed (you can immediately identify which running workloads are affected)
  • Compliance with emerging regulations such as the EU Cyber Resilience Act and US Executive Order 14028
  • Audit trails that satisfy DPDPA data protection requirements for demonstrating reasonable security safeguards

Integrate SBOM generation into your CI/CD pipeline using Trivy, which can produce CycloneDX and SPDX format SBOMs alongside vulnerability reports.

Multi-Cluster Security Governance

As enterprises scale, they often operate multiple Kubernetes clusters -- development, staging, production, and sometimes regional clusters for data residency. Security policies must be consistent across all of them.

Policy-as-Code Across Clusters

Define security policies in a central Git repository and deploy them to all clusters using GitOps:

  • Write Kyverno or OPA Gatekeeper policies that encode your organization's security requirements
  • Store policies in a dedicated Git repository with version control and review workflows
  • Use ArgoCD or Flux to synchronize policies across every cluster automatically
  • Monitor policy violations centrally using dashboards that aggregate reports from all clusters

Cluster Segmentation for Compliance

For enterprises operating across multiple regions -- India, Europe, and the Middle East -- cluster segmentation becomes critical for regulatory compliance:

  • Data residency: Run separate clusters in each region to ensure personal data stays within jurisdictional boundaries
  • Blast radius containment: Isolate production clusters from development and staging to limit the impact of a compromise
  • Workload classification: Assign sensitivity labels to namespaces and enforce that high-sensitivity workloads only run on hardened, audited clusters

Incident Response for Kubernetes

Having security controls is necessary, but not sufficient. You also need a tested plan for when those controls are breached.

Container Forensics Readiness

Prepare your cluster for incident investigation before an incident occurs:

  1. Enable API server audit logging with a retention period of at least 90 days
  2. Ship container logs to a centralized, immutable log store (not just local stdout)
  3. Configure Falco to capture detailed event data for suspicious activity
  4. Maintain the ability to snapshot running container filesystems for forensic analysis

Response Playbooks

Document and rehearse response procedures for common Kubernetes security incidents:

  • Compromised container: Isolate the pod using network policies, capture forensic data, then terminate and redeploy from a clean image
  • Leaked credentials: Rotate all affected secrets immediately, audit access logs for unauthorized usage, review the zero trust architecture to identify the gap
  • Malicious admission: If an unauthorized image reaches production, identify how it bypassed admission controls, block the image hash, and scan all running pods for similar indicators

Regular Security Drills

Run quarterly tabletop exercises and annual red team assessments against your Kubernetes infrastructure. The goal is not to prove your defenses are perfect -- it is to find gaps before attackers do. Track remediation of findings as rigorously as you track feature delivery.

At Optivulnix, we help organizations build security-first DevSecOps practices for Kubernetes environments. From cluster hardening to runtime monitoring, our team ensures your production workloads are protected without slowing down development. Contact us for a free Kubernetes security assessment.

About the Author

Mohakdeep Singh

Mohakdeep Singh

Principal Consultant

Specializes in AI/ML Engineering, Cloud-Native Architecture, and Intelligent Automation. Designs and builds production-grade AI systems including retrieval-augmented generation (RAG) pipelines, conversational agents, and document intelligence platforms that transform how enterprises access and act on information.

Meet Our Team ->
← Back to Blog

Stay Updated

Get the latest cloud optimization insights delivered to your inbox.

Related Articles

Multi-Region Deployment Strategies for Low-Latency Indian Applications
Cloud Strategy

Multi-Region Deployment Strategies for Low-Latency Indian Applications

Ultimate Cloud FinOps Savings Guide for 2026
FinOps

Ultimate Cloud FinOps Savings Guide for 2026

Ready to Transform Your Cloud Infrastructure?

Let our team show you where your cloud spend is going -- and how to fix it. AI-powered optimization across AWS, Azure, GCP, and OCI.

Schedule Your Free Consultation