Kubernetes Security Must Practices

TechOps Examples

Hey — It's Govardhana MK 👋

Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.

👋 Before we begin... a big thank you to today's sponsor PERFECTSCALE

Are you ready for the future of DevOps automation—or still stuck in manual processes?

Join us for a webinar with Adam Jacob, co-creator of Chef and CEO of System Initiative, as we explore the next era of DevOps automation.

You will learn: 

• Why traditional DevOps approaches are becoming a bottleneck—and what’s replacing them.

• The role of AI and machine learning in automating workflows and improving collaboration.

• How teams can overcome cultural and organizational hurdles when adopting new technologies.

Only 50 seats available. Register now!

IN TODAY'S EDITION

🧠 Use Case

• Kubernetes Security Must Practices

🚀 Top News

• Kubecost 2.6 Release Highlights

👀 Remote Jobs

• Eqvilent is hiring a Python - DevOps Engineer

  Remote Location: Worldwide

• Scroll is hiring a Senior / Staff Site Reliability Engineer

  Remote Location: Worldwide

📚️ Resources

• MLOps Roadmap 2025

• Log Levels: Different Types and How to Use Them

• Approach for automating static secret rotation using Pulumi ESC

📢 Reddit Threads

• Passed my AWS CLF-C02 Exam with a score of 961/1000 - Here's How

• Lambda Killing K8s? There is a large push in my org to move from K8s to Lambda

🛠️ TOOL OF THE DAY

ContainerSSH - Building a lab environment can be time consuming.

ContainerSSH solves this by providing dynamic SSH access with APIs, automatic cleanup on logout using ephemeral containers, and persistent volumes for storing data.

Perfect for vendor and student labs.

🧠 USE CASE

Kubernetes Security Must Practices

You know there are tons of content on Kubernetes Security Best practices, the moment it is conceived as 'Best practices' many bracket it inside optional or nice to have.

In fact, there are MUST Practices which, when missed, create a lot of unnecessary mess.

On a lighter note, if there were a kind of CAPTCHA that would stop someone from starting Kubernetes unless these must haves are available, that would be awesome, wouldn’t it?

Something like this ….

1. RBAC Configured

Missing this?

Any service account could have excessive permissions, making privilege escalation trivial.

Define granular roles, bind only required permissions, and audit with kubectl auth can-i

Regularly check misconfigurations using kubectl get rolebindings, clusterrolebindings --all-namespaces.

2. Rate Limiting

Missing this?

A misconfigured automation script or rogue user can overwhelm your API server, leading to downtime or DoS attacks.

Use API Priority and Fairness to control API request rates.

Set limits in your Ingress/Nginx using limit_req to throttle excessive requests.

3. Encryption

Missing this?

Secrets in etcd are stored in plaintext by default, making them an easy target if etcd is compromised.

Enable encryption at rest using encryption-config.yaml and enforce TLS for all cluster communication.

Ensure KMS or an external vault manages encryption keys.

4. Ephemeral Containers

Missing this?

Debugging with kubectl exec often requires privileged access, increasing security risks.

Use kubectl debug to spawn ephemeral containers without modifying running workloads.

Restrict exec access using RBAC to avoid unnecessary privilege escalations.

5. Probes (Liveness, Readiness, Startup)

Missing this?

Kubernetes won’t know when your app is unhealthy, leading to stale or failing services staying alive.

Implement readiness and liveness probes in your Deployment manifests to restart failed apps and control traffic flow.

Regularly test probe behavior before deployments.

6. Namespace Isolation

Missing this?

Without isolation, workloads can interact freely, increasing the attack surface.

Use namespaces per team or application and enforce network policies (NetworkPolicy) to restrict pod-to-pod communication across namespaces.

Ensure RBAC policies are scoped at the namespace level.

7. PodDisruptionBudget (PDB)

Missing this?

Node drains can evict all replicas of a critical application, leading to downtime.

Define PDBs to maintain minimum available pods during voluntary disruptions (minAvailable or maxUnavailable).

Validate using kubectl describe pdb <your-app>.

8. Approved Images

Missing this?

Pulling unverified images exposes your cluster to supply chain attacks.

Implement image signing and verification using Cosign.

Enforce registry restrictions via ImagePolicyWebhook or Kyverno policies.

Use tools like Trivy to scan images before deployment.

Not following these MUST Practices isn’t just bad hygiene - it’s a security risk.

Set them up, enforce them, and audit them regularly.

Because the worst kind of Kubernetes failure? A preventable one.

Join us for a webinar with Adam Jacob, co-creator of Chef and CEO of System Initiative, as we explore the next era of DevOps automation.

This forward looking discussion will explore how emerging technologies are set to transform DevOps workflows in the coming years.

Only 50 seats available. Register now!

You may even like:

Kubernetes Mistakes Side Effects

Looking to promote your company, product, service, or event to 38,000+ Cloud Native Professionals? Let's work together.