Kubernetes Security: 15 Critical Rules for Production

1) kubectl API server access only behind VPN/WireGuard. 2) RBAC least-privilege — service accounts get only what they need. 3) Don't hand cluster-admin to humans; keep a break-glass account.

4) Store audit logs in etcd and ship them offsite. Audit policy must log sensitive operations (secret read/write, pod exec). 5) Anonymous and unauthenticated access fully disabled.

6) Enforce PSS 'restricted' via namespace labels. 7) Don't run pods as root (runAsNonRoot: true). 8) Drop all capabilities. 9) privileged: false, hostNetwork: false, hostPID: false.

10) ReadOnlyRootFilesystem: true. Use emptyDir or specific volume mounts when writes are needed.

11) Default deny all — namespace traffic starts closed, open selectively via allowlist. 12) Egress controls — pods only reach approved external endpoints (e.g., only AWS API, only Stripe).

Cilium or Calico unlock L7 policies. Service mesh (Istio, Linkerd) adds mTLS for pod-to-pod traffic.

13) Deploy only signed images via ImagePolicyWebhook or OPA Gatekeeper. Trivy/Grype scans in CI/CD. 14) Encrypt Secrets via KMS (etcd at-rest encryption). Use Sealed Secrets or External Secrets Operator so secrets never hit git.

15) Rotate secrets regularly (especially DB creds and API keys) — HashiCorp Vault dynamic secrets. Pods get short-lived tokens via the Vault K8s auth method.

Falco for runtime security — catches abnormal syscalls (reading /etc/shadow, spawning shells). Prometheus + Grafana for cluster metrics. kube-bench for CIS benchmark compliance.

VefaSec runs K8s security audits for clients — a typical first audit surfaces 25-40 findings, mostly misconfigurations. Critical ones close in 1-2 weeks.