Kubernetes Security Standards and Hardening
The comprehensive security controls required to harden Kubernetes clusters and workloads to meet CIS, NSA/CISA, and regulatory compliance requirements.
Kubernetes security hardening addresses a wide attack surface: the API server, etcd (the cluster state store), kubelet configurations, network policies, RBAC authorization, pod security standards, secrets management, and the admission control pipeline. The NSA/CISA Kubernetes Hardening Guidance and the CIS Kubernetes Benchmark are the primary technical references, and both are referenced in FedRAMP assessments of Kubernetes-hosted workloads. At the cluster level, the API server must be configured to require authentication and authorization for all requests, disable anonymous access, enable audit logging, and reject deprecated insecure flags. etcd must be encrypted at rest (using the Kubernetes encryption provider configuration) and secured with mutual TLS — etcd holds all cluster state including secrets and is the highest-value target for cluster compromise.
Pod-level security is enforced through Kubernetes Pod Security Standards (PSS), which replaced the deprecated PodSecurityPolicy (PSP) in Kubernetes 1.25. The three PSS levels — Privileged, Baseline, and Restricted — define allowed and forbidden pod configurations. Regulated workloads must meet the Restricted profile, which requires non-root execution, read-only root filesystems, dropped capabilities, and seccomp enforcement. RBAC configurations must follow least-privilege principles: service accounts should have only the namespace-scoped permissions required for their function, and cluster-level roles should be assigned only to infrastructure components that genuinely require cluster-wide access. Wildcard permissions in ClusterRoleBindings are a common audit finding.
Network segmentation in Kubernetes requires Network Policies to be implemented — without explicit policies, all pods can communicate with all other pods in the cluster, which violates PCI DSS network segmentation requirements and HIPAA access control principles. Network Policies must be designed from a zero-trust baseline where inter-service communication is explicitly permitted rather than implicitly allowed. Secret management is a persistent challenge: Kubernetes Secrets are base64-encoded (not encrypted) by default in etcd unless encryption providers are configured, and many clusters have secrets accessible to overly broad service accounts. For highly regulated workloads, external secret stores (Vault, AWS Secrets Manager) with the External Secrets Operator provide a more defensible secrets architecture than native Kubernetes Secrets.
We harden Kubernetes clusters against the full CIS Benchmark and NSA/CISA guidance, implementing etcd encryption, Pod Security Standards enforcement, RBAC least-privilege configurations, and Network Policy zero-trust baselines. Our cluster assessments produce compliance evidence packages mapped to FedRAMP, PCI DSS, and HIPAA control requirements.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.