Kubernetes security: A refresher
As its adoption surges, more organizations are turning their attention to Kubernetes security, working to fortify their clusters against potential threats. It’s a good instinct. The open-source nature of Kubernetes makes it a lucrative target for attackers aiming to exploit vulnerabilities to breach systems. A secure Kubernetes environment ensures the confidentiality, integrity, and availability of applications, safeguarding business assets and data from unauthorized access. Before turning to an action plan for a robust Kubernetes environment, let’s start by taking a look at some common risks, critical components to secure, and challenges.
Common vulnerabilities and threats in Kubernetes environments
Kubernetes threat vectors target multiple layers of your containerized infrastructure, creating complex attack paths that traditional security measures often miss.
The most critical threats include:
API server vulnerabilities: Misconfigured or exposed APIs provide direct access to cluster management functions, allowing attackers to manipulate workloads and extract sensitive data.
Container image risks: Vulnerable base images or malicious code within containers create entry points for attackers to compromise entire clusters.
Configuration weaknesses: Default settings and misconfigurations in network policies, RBAC, or secrets management leave clusters exposed to privilege escalation and lateral movement attacks.
Understanding these vulnerabilities is just the first step. It's equally important to know which components need safeguarding to mitigate these risks. This is where Kubernetes security testing tools play a crucial role, helping organizations identify and address potential vulnerabilities before they can be exploited.
Kubernetes Security [Cheat Sheet]
Everything you need to know about securing Kubernetes.
Components and domains to secure in Kubernetes
Kubernetes security domains require protection at multiple infrastructure layers to prevent attackers from exploiting any single point of failure.
Control plane security: The API server acts as the primary gateway to your cluster and requires strict authentication, authorization policies, and audit logging to prevent unauthorized access.
Data protection: etcd stores all cluster configuration data and secrets, making encryption at rest and secure communication protocols essential to prevent data breaches.
Node hardening: Worker nodes and kubelet agents need secure configurations, regular updates, and restricted access to prevent compromise of the underlying infrastructure.
Network isolation: Pod-to-pod communication must be controlled through network policies to prevent lateral movement and unauthorized data access between workloads.
Workload permissions: Applications should operate under the principle of least privilege, with minimal permissions and restricted access to sensitive resources.
Secrets management: Sensitive data like passwords, tokens, and certificates require encryption, access controls, and rotation policies to prevent credential theft. The widespread exposure of secrets—affecting 61% of organizations according to Wiz's Code Security Report—makes proper secrets management particularly critical in Kubernetes environments.
Challenges in Kubernetes security
Securing a Kubernetes environment is no easy task. There are many challenges, including:
Misconfigurations: Simple errors in configuration can open up significant vulnerabilities.
Inadequate network policies: Lax network policies can allow unauthorized access to network resources.
Lack of resource isolation: Failure to isolate resources can result in cross-contamination and data breaches.
Insufficient monitoring and logging: Detecting and responding to threats becomes increasingly more complicated without proper monitoring.
Kubernetes Secure Coding Practices [Cheat Sheet]
This 10 page cheat sheet provides advanced, actionable guidance for infrastructure and platform developers to safeguard containerized applications.
Download Cheat Sheet
How security tools can help
Kubernetes security tools address the complexity and scale challenges that manual security processes cannot handle effectively in dynamic containerized environments.
Automated vulnerability detection continuously scans containers, configurations, and runtime environments to identify security gaps before attackers can exploit them, reducing response time from days to minutes.
Policy-as-code enforcement ensures consistent security standards across all clusters and deployments, preventing misconfigurations that lead to breaches.
Runtime threat monitoring detects suspicious activities like privilege escalation, lateral movement, and unauthorized access in real-time, enabling immediate response to active threats.
Compliance automation maintains adherence to security frameworks like CIS benchmarks, SOC 2, and industry regulations without manual audit overhead.
Key features to look for in Kubernetes security tools
Choosing the right Kubernetes security tools can be overwhelming. Here are the key features to look for when evaluating your options:
Comprehensive coverage: The best tools protect every layer of your Kubernetes environment—configuration, workloads, network, runtime, and policy enforcement.
Open source and community support: Look for tools with active communities, frequent updates, and transparent development. This ensures you get timely fixes and new features.
Easy integration: Tools should fit into your existing workflows, whether that's CI/CD pipelines, GitOps, or your preferred monitoring stack. Command-line interfaces, APIs, and plug-ins are a plus.
Automated scanning and policy enforcement: Automation is key. Tools should scan for misconfigurations, vulnerabilities, and compliance issues automatically, and enforce policies without manual intervention.
Real-time detection and alerting: Runtime security tools should monitor for suspicious activity and alert you instantly, so you can respond before issues escalate.
Customizability: Every environment is different. Choose tools that let you write custom rules, policies, or checks to match your organization's needs.
Clear reporting and actionable insights: The best tools don't just find problems—they help you understand what to fix first, and how to fix it.
Scalability: Make sure your tools can handle your current and future cluster sizes, whether you're running a handful of nodes or hundreds.
Before you commit, try out a few tools in a test environment. See how they fit your workflow and how easy they are to use. The right combination will make your Kubernetes security program much more effective—and a lot less stressful.
Kubernetes security tools
Open-source Kubernetes security tools provide enterprise-grade protection without licensing costs, offering transparency and customization that proprietary solutions often lack. These tools address specific security domains—from configuration scanning to runtime protection—allowing you to build a comprehensive defense strategy tailored to your environment's needs.
The following tools are organized by security function to help you identify the right combination for your cluster's protection requirements.
Configuration and compliance scanners
Configuration scanners analyze Kubernetes YAML files, Helm charts, and cluster settings to identify security misconfigurations before deployment. These tools compare your configurations against security benchmarks like CIS Kubernetes Benchmark and industry best practices, flagging issues like excessive permissions, unencrypted secrets, or exposed services that could lead to breaches.
kube-bench
kube-bench is an open-source tool that verifies the secure deployment of Kubernetes based on the CIS Kubernetes Benchmark guidelines. With its YAML-configured tests, updating the tool as standards change is straightforward:
Use cases
| Use Case | Description |
|---|---|
| Cluster hardening | With kube-bench, you can automatically check a cluster's setup against the security standards set by the CIS Benchmarks.. |
| Policy enforcement | Verify RBAC setup to make sure service accounts and users have minimal privileges. The tool also examines pod security practices and how secrets are managed. |
| Network segmentation | kube-bench can check CNI and ensure every namespace has defined network policies. |
Checkov
Checkov is a static code analysis tool built by Bridgecrew and maintained by Prisma Cloud. It scans cloud infrastructure configurations to identify security misconfigurations before deployment. Checkov supports a wide range of infrastructure as code (IaC) languages, including Terraform, CloudFormation, and Kubernetes YAML files. And it comes with built-in policies that adhere to best practices and lets you write custom policies in Python or YAML.
# Installing Checkov using pip
pip install checkov
# Running a Checkov scan on a specific file
checkov -f main.tf
# Running a Checkov scan on a directory
checkov --directory /user/path/to/iac/code
# Specifying a framework to scan (e.g., terraform, cloudformation, kubernetes)
checkov --framework kubernetesUse cases
| Use Case | Description |
|---|---|
| Scanning Terraform files for misconfigurations | Spot and correct mistakes in Terraform files that might pose security and compliance threats. For instance, Checkov can detect if a sensitive resource is exposed to the public internet or if encryption or logging is not enabled for a storage bucket. |
| Scanning Kubernetes manifests | Checkov examines Kubernetes manifests for vulnerabilities and misconfigurations so that you can maintain a secure and compliant Kubernetes environment. |
Terrascan
Terrascan is a tool that scans infrastructure as code (IaC) for potential issues. It checks for misconfigurations in IaC and keeps an eye on cloud setups for any changes that might weaken security. Before you set up cloud-native systems, Terrascan helps catch and fix security gaps and compliance breaches. You can use it on its own or add it to your CI/CD process. It works with many IaC languages, like Terraform, Kubernetes, and Dockerfile, and it’s compatible with cloud giants like AWS, Azure, and GCP.
Use cases
| Use Case | Description |
|---|---|
| Scanning Terraform files: | Terrascan can review your Terraform files and highlight any discrepancies it detects. For instance, it can detect high-severity violations, such as when S3 bucket versioning is not enabled, simplifying recovery from unintended user actions. |
| Scanning Kubernetes manifests | Terrascan is adept at scanning Kubernetes manifests to identify security and compliance policy violations. |
| Creating custom policies | You can create custom policies using Rego, a declarative language for policy enforcement. |
KubeLinter
KubeLinter is an open-source command-line tool that spots misconfigurations in Kubernetes objects. It reviews Kubernetes YAML files and Helm charts before they're deployed to a cluster. With 19 default checks and the option to add your own, KubeLinter quickly alerts you to any missteps or security breaches in Kubernetes. Developed using Go, KubeLinter requires minimal configuration and is easy to use in various command-line shells.
# Installing KubeLinter using Homebrew
brew install kube-linter
# Linting a single Kubernetes YAML file
kube-linter lint path/to/yaml-file.yaml
# Linting an entire directory and its subcontents
kube-linter lint path/to/directory/containing/yaml-files/
# Linting a Helm chart
kube-linter lint path/to/directory/containing/Chart.yaml-file/Use cases
| Use Case | Description |
|---|---|
| Linting YAML files | KubeLinter can lint individual YAML files or entire directories containing YAML files, helping developers identify and fix misconfigurations and security violations before deploying them into a Kubernetes cluster. |
| Linting Helm charts | Helm charts, which package Kubernetes applications, can also be linted using KubeLinter to ensure they adhere to security best practices and are free from misconfigurations. |
| Custom checks | Create custom checks to enforce specific policies within your organization. |
Runtime security and threat detection tools
Runtime security tools monitor active Kubernetes workloads for malicious behavior that static scanning cannot detect. Unlike pre-deployment scanners, these tools observe actual container execution, system calls, and network activity to identify threats like privilege escalation, container escape attempts, and unauthorized file modifications as they occur in production environments.
Falco
Falco is a cloud-native runtime security project initially created by Sysdig and now maintained by the Cloud Native Computing Foundation (CNCF). It leverages system calls at the kernel level to monitor the runtime behavior of a system, integrating metadata from container runtime and Kubernetes to clarify what's happening. Falco can detect abnormal behavior and potential security threats in real time, offering a powerful rules engine to assert the stream of syscalls and alert users when rules are violated.
Use cases
| Use Case | Description |
|---|---|
| Compliance with industry regulations | Falco can help organizations comply with industry regulations and align with security frameworks like PCI, DSS, and NIST by actively detecting misconfigurations and threats in real time. |
| Monitoring legacy and cloud-native infrastructures | Falco monitors both legacy infrastructures and modern cloud-native environments, including containers and Kubernetes, ensuring a secure operational landscape. |
| Custom detections | You can add custom detections to Falco, enhancing its ability to identify a broader range of threats and misconfigurations and tailoring the tool to meet your specific security needs. |
Trivy
Trivy is an open-source, all-in-one scanner for containers and Kubernetes that identifies vulnerabilities and misconfigurations across images, file systems, and cluster resources. It supports Kubernetes cluster and manifest scanning—including exposed secrets and policy issues—and integrates into CI/CD to stop risky workloads before deployment. Trivy offers multiple scanning modes—from image and repository scans to cluster-wide audits—providing a comprehensive view of your Kubernetes security posture.
# Installing Trivy
brew install trivy
# Scanning a container image
trivy image nginx:latest
# Scanning a Kubernetes cluster
trivy k8s --report summary cluster
# Scanning IaC files
trivy config ./kubernetes-manifests/Use cases
| Use Case | Description |
|---|---|
| Container image scanning | Trivy scans container images for vulnerabilities in OS packages and application dependencies, helping teams identify security issues before deployment. |
| Kubernetes cluster auditing | Trivy can audit running Kubernetes clusters to detect misconfigurations, exposed secrets, and compliance violations across all cluster resources. |
| CI/CD integration | Integrate Trivy into your CI/CD pipeline to automatically scan images and manifests, preventing vulnerable workloads from reaching production environments. |
Policy management and enforcement
Policy enforcement engines automatically validate Kubernetes resources against predefined security rules before they're deployed to your cluster. These tools act as admission controllers, blocking deployments that violate security policies—such as containers running as root, missing resource limits, or prohibited image registries—ensuring only compliant workloads enter your environment.
Open Policy Agent (OPA)
Open Policy Agent (OPA) is an open-source, versatile policy engine that streamlines policy application across different areas, such as microservices, Kubernetes, CI/CD processes, and API gateways. OPA allows you to specify policies as code using Rego. It can also easily connect with your software, making policy decisions based on various data inputs.This flexibility makes it a powerful tool for policy enforcement in a wide range of applications.
Once a build has been approved, Kubernetes environments, container hosts, and clusters should be hardened using Open Policy Agent (OPA)-based configuration rules and Kubernetes admission policies.
Use cases
| Use Case | Description |
|---|---|
| Microservices policy enforcement | OPA can be used to enforce policies in microservices, ensuring that only authorized users can access specific resources and that traffic is allowed only through secure channels. |
| Kubernetes security | OPA can work with Kubernetes to set policies on user access to resources, determine where a workload should be deployed, and specify which OS functions a container can run, among other tasks. |
| CI/CD pipelines | In CI/CD pipelines, OPA can enforce policies that govern the deployment process, ensuring compliance with organizational and industry standards. |
kubeaudit
kubeaudit helps you audit Kubernetes clusters for various security concerns, including the detection of misconfigurations and non-compliance with best practices. It's tailored for Red Hat OpenShift and can scan user code for recognized mismatches, assisting in resolving them before integrating the code into OpenShift. A static analyzer that is easy to use and extend, kubeaudit also offers a platform for community contributions to enhance its auditing capabilities.
# Example audit report of a YAML file with kubeaudit
$ kubeaudit all -f "deployment--v1.yml"
---------------- Results for ---------------
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment
namespace: deployment-v1
--------------------------------------------
...
-- [error] AutomountServiceAccountTokenTrueAndDefaultSA
Message: Default service account with token mounted. automountServiceAccountToken should be set to 'false' or a non-default service account should be used.
-- [error] CapabilityShouldDropAll
Message: Capability not set to ALL. Ideally, you should drop ALL capabilities and add the specific ones you need to the add list.
Metadata:
Container: container
Capability: AUDIT_WRITE
...Use cases
| Use Case | Description |
|---|---|
| Identifying pod security admission issues | kubeaudit can identify issues related to pod security configuration in manifests, and it also suggests resolutions. |
| NetworkPolicy analysis | Use kubeaudit to analyze NetworkPolicy configurations and identify issues. |
| Custom audits | Developers can add custom audits to kubeaudit to meet specific organizational security needs with a simple initialization (INI) syntax, defining various fields to create a comprehensive audit that includes severity levels and diagnostic messages. |
Network security and service mesh
Network security and service mesh tools provide network policies, segmentation, and service mesh capabilities to secure communications within Kubernetes. This is critical because, according to NSA and CISA guidance, Kubernetes applies no network policies by default, resulting in unrestricted traffic within the Pod network. These tools play a crucial role in preventing unauthorized access and ensuring data integrity during transmission.
Calico
Calico is an open-source networking solution and network policy engine for containers. It operates at layer 3 of the networking stack, providing both networking and network policy for Kubernetes. The tool uses the Border Gateway Protocol (BGP) to handle packet routing to pods. Calico can be used as a standalone tool or in conjunction with others, like Flannel.
Calico also extends the features of the built-in Kubernetes NetworkPolicy API, allowing you to apply policies to a broader range of objects and offering more granular control over traffic flow in your Kubernetes environment.
# Example of allowing ingress traffic to endpoints in the production namespace with database label is permitted, only if it comes from a pod in the same namespace with backend label, on port 6379
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
name: allow-tcp-6379
namespace: production
spec:
selector: app == 'database'
ingress:
- action: Allow
protocol: TCP
source:
selector: app == 'backend'
destination:
ports:
- 6379Use cases
| Use Case | Description |
|---|---|
| Enhanced network policies | Calico lets you create network policies that are more comprehensive than those available through the Kubernetes NetworkPolicy API, including the ability to specify actions (allow, deny, log) and to use a wider range of selectors and attributes in policy rules. |
| Integration with existing Kubernetes features | Calico can be used alongside existing Kubernetes networking features, enhancing those features with its APIs to provide more flexible and robust network policy capabilities. |
| Multi-environment policies | For consistent policy enforcement across different environments, Calico policies can be applied not just to pods but to a range of objects, including containers, virtual machines, and network interfaces. |
Istio
Istio is an open-source service mesh designed for Kubernetes, facilitating the connection, security, management, and monitoring of services. It boasts features like traffic control, security measures, monitoring options, and adaptability.
Istio deploys a sidecar proxy (Envoy) with each service instance, so it can intercept and manage all incoming and outgoing traffic. This architecture enables Istio to enforce policies, collect telemetry, and facilitate advanced traffic routing patterns like canary deployments and circuit breaking.
Use cases
| Use Case | Description |
|---|---|
| Traffic management | Istio's traffic management capabilities accommodate advanced routing patterns, such as directing traffic to different versions of a service based on request headers or weights. This is particularly useful for canary deployments and A/B testing. |
| Security | Istio offers a strong security setup with features such as mutual TLS authentication between services, detailed access management, and identity checks, guaranteeing safe communication inside the cluster. |
| Observability | With Istio, you gain deep insights into your service mesh with features like distributed tracing, monitoring, and logging, and the result is efficient debugging and performance optimization. |
Exploit detection
Exploit detection tools identify potential escape techniques and exploits in Kubernetes environments. By actively monitoring and analyzing system behaviors, these tools play a pivotal role in preventing unauthorized breaches and ensuring the overall security of the environment.
Kubescape
Kubescape, developed by ARMO, is a Kubernetes security platform that’s a Cloud Native Computing Foundation (CNCF) sandbox project. The platform facilitates risk analysis, security compliance, and misconfiguration scanning in Kubernetes environments. Kubescape can check clusters, YAML files, and Helm charts, detecting misconfigurations using frameworks including NSA/CISA, MITRE ATT&CK®, and the CIS Benchmarks.
Use cases
| Use Case | Description |
|---|---|
| Risk analysis | Kubescape can perform risk analysis on your Kubernetes configurations, helping identify potential vulnerabilities and areas where best practices aren’t being followed. |
| Security compliance | To ensure compliance with various security frameworks, Kubescape provides detailed reports that help you understand your compliance status and areas where improvements are needed. |
| Automated scanning in CI/CD pipelines | By integrating Kubescape into your CI/CD pipelines, you can automatically scan Kubernetes configurations and catch potential issues early in the development lifecycle. |
CISO Buyer's Guide: Kubernetes Security
This guide breaks down the key capabilities to look for in a Kubernetes security platform and how to align them with business risk.
Get the Guide
Securing K8s across the entire development lifecycle
Securing Kubernetes (K8s) is a continuous process that spans the entire development lifecycle.
The importance of continuous security
Here’s why it’s critical to treat Kubernetes security as an ongoing priority, starting at the planning phase of your implementation:
Early detection of vulnerabilities: Integrating security from the outset translates directly to the early detection of Kubernetes vulnerabilities, reducing potential risks in later stages of development.
Cost-efficiency: Addressing security breaches post-deployment is an expensive process. Early security integrations are significantly more cost efficient.
Compliance with regulations: Continuous security ensures that your system adheres to the necessary regulatory compliances at all stages of development. By constantly monitoring and updating in response to evolving standards, it guarantees that the system remains in line with industry regulations. This proactive approach reduces the risk of non-compliance penalties and ensures that security measures are always up to date.
Risks of late-stage security implementations
Increased complexity: The later the development stage, the more complex security implementation becomes. That’s because accumulated data and configurations come with a lot of baggage, like dependencies and interconnected system components.
Potential security breaches: Late-stage security implementations mean your system has been vulnerable to attacks for an extended period.
Reputational damage: Don’t wait for a security breach to prioritize security. Cyberattacks can damage an organization's reputation, leading to a loss of trust among clients and stakeholders.
Wiz's container and Kubernetes security solution
While the tools covered in this blog post cater to many different aspects of Kubernetes security, Wiz stands out as a single–platform solution that’s specifically tailored for container and Kubernetes environments. Wiz empowers both security and development teams by providing visibility, context, and risk prioritization throughout the entire development lifecycle.
Watch 12-Minute Demo
See how Wiz connects the dots between misconfigurations, identities, data exposure, and vulnerabilities—across all environments, including Kubernetes. No agents, just full context.
Watch demo now
Some of its standout features include:
Comprehensive security: Wiz offers a comprehensive security approach, covering all aspects of Kubernetes security to make sure you’re defended against potential threats.
Ease of integration: With seamless integration into existing systems, Wiz provides complete security coverage without disrupting your existing workflows.
Real-time monitoring: Wiz offers real-time monitoring of the entire Kubernetes environment, providing instant alerts for security breaches, so you can respond to threats fast.
Other tool roundups you might be interested in: