Kubernetes Security

Kubernetes is now the de facto orchestrator for cloud-native workloads, which makes its security model business-critical. Key controls include hardening the API server (RBAC least privilege, audit logs, no anonymous access), securing kubelet and etcd, enforcing pod security standards (no privileged containers, dropped capabilities, non-root users), network policies for east-west isolation, secret management via external KMS, and admission policies via Kyverno or OPA. Threats include exposed Kubernetes dashboards, vulnerable container images, supply-chain attacks on Helm charts, container escapes, and credential-stealing crypto-miners. Frameworks such as the CIS Kubernetes Benchmark and NSA/CISA hardening guide provide concrete baselines.