Skip to main content

Kubernetes Security

November 10, 2024

Hardening container orchestration RBAC, pod security, admission control, and runtime threat detection on Kubernetes.


Research scope

Kubernetes introduces a new attack surface: the control plane, etcd, API server, and workload configuration. This track documents defense-in-depth for clusters running production workloads.

Areas covered

  • API server hardening and RBAC least privilege
  • Pod Security Standards / restricted profiles
  • Admission policies (Kyverno, Gatekeeper)
  • Runtime detection with Falco or cloud-native agents
  • Secrets encryption and etcd backup security