Kubernetes clusters remain one of the most commonly misconfigured infrastructure components in enterprise environments. Despite years of security tooling maturation and increasing awareness of container security, audit findings consistently show the same categories of misconfigurations appearing repeatedly: excessive RBAC permissions, missing network policies, unscanned images running in production, and secrets stored as plaintext in environment variables. Kubernetes 1.33 introduces improvements to default security posture, but configuration choices made by operators continue to determine actual security outcomes.
RBAC: The Persistent Misconfiguration Problem
Role-Based Access Control is Kubernetes’ primary authorization mechanism, and it is consistently implemented too permissively. The most dangerous pattern is the use of ClusterAdmin or cluster-wide wildcard permissions for service accounts that should have narrow, namespace-scoped access. A compromised pod running with ClusterAdmin permissions can enumerate the entire cluster, read all secrets, and create privileged pods with host network access.
Effective RBAC hardening starts with an audit of existing permissions using tools like kubectl-who-can or Fairwinds Insights to identify over-privileged principals. For each service account, enumerate the actual API calls your application makes and create a Role or ClusterRole that grants exactly those permissions — nothing more. Enforce this discipline for new deployments through admission webhooks that reject service accounts with wildcard permissions.
Pod Security: Beyond Pod Security Policies
Pod Security Admission (PSA), which replaced the deprecated Pod Security Policies in Kubernetes 1.25, enforces three security profiles: privileged (no restrictions), baseline (preventing known privilege escalations), and restricted (following current hardening best practices). In Kubernetes 1.33, the default enforcement mode has been updated to apply the baseline profile to all namespaces unless explicitly overridden.
For production workloads, target the restricted profile wherever possible. This means running containers as non-root users, dropping all capabilities, using read-only root filesystems, and requiring seccomp profiles. Many containerized applications require minimal changes to comply with the restricted profile — the blockers are usually undocumented assumptions about filesystem write access or network binding capabilities that surface during testing.
Network Policies
By default, Kubernetes allows unrestricted communication between all pods in a cluster. Network Policies implement microsegmentation — allowing you to specify which pods can communicate with which other pods, on which ports, using which protocols. Without Network Policies, a compromised pod can reach any other service in the cluster, including control plane components and secrets stores.
Implementing a default-deny NetworkPolicy that blocks all ingress and egress traffic, then explicitly allowing only the necessary connections, is the most effective approach. This requires careful mapping of your application’s actual network dependencies — a discovery process that often reveals unexpected connections that should not exist. The discovery cost is worthwhile: organizations that implement default-deny network policies report dramatically reduced blast radius when container compromises occur.
Secrets Management
Kubernetes Secrets stored in etcd are base64-encoded by default — not encrypted. Any principal with etcd access or the ability to read Secrets in the target namespace can obtain secret values. Enabling encryption at rest for etcd using an external KMS (AWS KMS, Google Cloud KMS, or HashiCorp Vault) provides genuine protection for stored secrets.
For runtime secrets injection, avoid environment variables — they are visible to any process running in the container, appear in crash dumps, and are frequently included in debug logs. Mount secrets as volumes with restrictive permissions, or use a sidecar-based secrets injection pattern where secrets never appear in the pod spec at all. External Secrets Operator and Vault Agent Injector are the mature options in this space.
Supply Chain Security
The container image supply chain is a critical attack surface that many organizations secure inadequately. Images should be scanned for known vulnerabilities before admission to production environments — this is baseline hygiene. Image signing and verification using Sigstore/Cosign ensures that only signed images from trusted registries can run in your cluster. Policy engines like Kyverno or OPA Gatekeeper enforce these requirements at admission time.
Base image pinning — using SHA256 digests rather than mutable tags like “latest” — prevents supply chain attacks that compromise images after your initial security review. Pin your base images and implement a regular update cadence for rotating to patched versions, rather than relying on mutable tags that provide no integrity guarantee.
Monitoring and Runtime Detection
Falco remains the standard for runtime security monitoring in Kubernetes environments. Its rule library covers the most common attack patterns — unexpected outbound connections, privilege escalation attempts, sensitive file access, and process execution anomalies. Integrating Falco alerts into your security operations center creates a detection layer that complements the preventive controls described above.
Security hardening is not a one-time project. Cluster configurations drift as applications evolve and teams make expedient choices under time pressure. Regular automated compliance scanning against a defined baseline — using tools like kube-bench for CIS benchmark compliance — catches configuration drift before it becomes a security incident. Service mesh misconfiguration represents a critical but often overlooked attack vector in Kubernetes environments; our analysis of service mesh lateral movement documents how attackers exploit this surface. Earlier Kubernetes vulnerability research covers the ingress layer specifically — see our breakdown of critical Ingress-Nginx vulnerabilities and CVE-2026-24512.
Cybersecurity Editor and former NSA contractor with TS/SCI clearance. Covers nation-state threat actors, critical infrastructure protection, and U.S. cyber policy for NovVista's Washington bureau.
More by Derek Schmidt →
Absolutely necessary! My team’s just starting with Kubernetes and this guide couldn’t have come at a better time. Our tech stack is leaning more into cloud services lately.
Impressed with the depth of coverage. I especially liked the section on network policies. Our company is a bit small, but this is great for scaling up.
4|I’m a junior engineer, and this guide has cleared up a lot of confusion for me. I was particularly unsure about RBAC permissions. Thanks!
6|The practical examples with real-world scenarios were a game-changer. I’ve been using Kubernetes for a year and still had gaps in my understanding.
I’m skeptical about hardening in version 1.33, but this article made a compelling case. We’re in the financial sector, and security is our number one priority.
9|Just read through and found it very comprehensive. I manage our Kubernetes clusters, and it’ll help us in the next review. I work at a mid-size IT company.
11|Great to see a focus on production clusters. I was working on hardening a cluster for a large-scale e-commerce project and these tips are very relevant.
13|This article has motivated me to revisit our Kubernetes setup. My current company is still using 1.20, and this upgrade seems like the next logical step.
15|One question – do you think the recommendations vary significantly between GKE and EKS? I’m planning a migration for my team.
17|I disagree with the emphasis on hardening. Shouldn’t we prioritize ease of use and deployment first? Especially in a startup, time is of the essence.
19|As a student, this guide is invaluable. I’m currently working on a project involving Kubernetes, and these insights are helping me shape my approach.
21|I appreciate the balance between technical and operational aspects. It’s not just about the code, but also about monitoring and incident response.
23|Our company has a mix of on-premises and cloud environments. This guide’s approach to hybrid clustering is something we need to consider.
25|Fantastic job! I found the section on using audit logs to be particularly insightful. We’re dealing with compliance requirements, and this could be a lifesaver.
27|I love the practical approach to hardening. It’s clear that a lot of real-world experience has gone into this. Our team is small, but we’ll implement these changes for sure.
I have a few more questions – any advice on integrating this with Prometheus and Grafana for enhanced monitoring?