Kubernetes security baseline: clusters that survive contact
A vanilla Kubernetes cluster is not production-ready. The CIS Kubernetes Benchmark, NSA hardening guide, and Pod Security Standards translate to a practical first week.
Kubernetes hardening is a discipline, not a setting. The CIS Kubernetes Benchmark covers 110 control checks across master, etcd, worker, and policies. The NSA/CISA Kubernetes Hardening Guidance v1.2 adds a defender-focused frame. Kubernetes' own Pod Security Standards (Privileged, Baseline, Restricted) replaced Pod Security Policies, deprecated since 1.21 and removed in 1.25. Baseline and Restricted are the targets for production namespaces.
Cluster hardening starts with the control plane. Use a managed Kubernetes service (EKS, GKE, AKS) where the cluster operator does not run etcd or the API server — that removes a class of CIS findings. For self-managed clusters, etcd must be encrypted at rest with KMS-backed keys, restricted to control plane network only, and authenticated with mTLS. Disable anonymous authentication on the API server, enable audit logging at the metadata level minimum, and rotate kubelet client certificates automatically.
Network and runtime second. Apply NetworkPolicies — the default in Kubernetes is all-namespaces-can-talk-to-all-namespaces, the opposite of zero trust. Calico, Cilium, or the cloud CNI (e.g. AWS VPC CNI with the Network Policy add-on) implement them. Enforce Pod Security Standards via the built-in admission plugin in 1.25+ or via Kyverno or OPA Gatekeeper for finer policy: no privileged containers, no host network, no host PID, immutable root filesystem where possible, runAsNonRoot enforced. Falco or Tetragon provides runtime detection on syscalls and containers.
Supply chain and secrets third. Sign images with Sigstore cosign and verify on admission with Kyverno verify-images or Connaisseur. Scan container images with Trivy, Grype, or commercial scanners (Snyk, Wiz, Prisma Cloud) and block deployment of high-severity CVEs. Store secrets in an external secret manager — HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager — and inject via External Secrets Operator or CSI driver, never as plain etcd Secret objects which are merely base64-encoded. Use namespace-scoped service accounts with the minimum required RBAC; the default service account should never have permissions.
Related reading
AWS security baseline checklist for new accounts
A new AWS account is wide open by default. Twenty controls applied in the first week prevent 90 percent of cloud incidents — here is the list.
Azure security on day one: a tenant-level hardening guide
Azure tenants come with risky defaults — Conditional Access disabled, security defaults insufficient. Here is the day-one hardening that actually moves the dial.
Cloud Security Posture Management: choosing and operating CSPM
CSPM scans your cloud configuration against benchmarks. The good ones reduce alert fatigue and block bad configurations at deploy time.