Kubernetes Security Best Practices 2026: Hardening Your K8s Cluster

Why Kubernetes Security Matters

Kubernetes is the default runtime for containerized workloads at scale and consistently among the top sources of cloud security incidents. Most Kubernetes security problems are caused by misconfiguration, not novel attacks.

1. RBAC: Least Privilege at the API Level

Every API call to the cluster goes through RBAC authorization. The common mistake is giving service accounts cluster-admin or using wildcard permissions.

# Minimal role for an app that only reads ConfigMaps
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: configmap-reader
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list"]
  resourceNames: ["app-config"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-configmaps
  namespace: production
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: production
roleRef:
  kind: Role
  name: configmap-reader
  apiGroup: rbac.authorization.k8s.io

Key practices: Audit ClusterRoleBindings quarterly, never bind cluster-admin to service accounts.

2. Pod Security Standards

Since Kubernetes 1.25, Pod Security Admission replaces PodSecurityPolicy:

Apply at the namespace level:

kubectl label namespace production   pod-security.kubernetes.io/enforce=restricted   pod-security.kubernetes.io/warn=restricted

Set a compliant security context:

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: ["ALL"]

3. Network Policies: Default Deny

By default, all pods can communicate with all other pods. Fix this with a default deny policy and explicit allow rules for required traffic:

# Default deny all ingress and egress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
 - Ingress
 - Egress
---
# Allow app to reach its database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-app-to-db
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: my-app
  policyTypes:
 - Egress
  egress:
 - to:
   - podSelector:
        matchLabels:
          app: postgres
    ports:
   - protocol: TCP
      port: 5432

Note: Requires a CNI plugin that supports Network Policies (Calico, Cilium).

4. Secrets Management

Kubernetes Secrets are base64-encoded, not encrypted, by default. Use External Secrets Operator:

This gives you centralized management, audit logging, and automatic rotation.

5. Image Security and Supply Chain

Scan in CI/CD with Trivy:

- name: Scan image for vulnerabilities
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    exit-code: '1'
    severity: 'CRITICAL,HIGH'
    ignore-unfixed: true

Block non-compliant images with Kyverno:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: require-approved-registry
spec:
  validationFailureAction: Enforce
  rules:
 - name: check-registry
    match:
      resources:
        kinds: [Pod]
    validate:
      message: "Images must be from mycompany.azurecr.io"
      pattern:
        spec:
          containers:
         - image: "mycompany.azurecr.io/*"

6. Runtime Threat Detection

Falco monitors system calls for suspicious behavior. For AKS, Microsoft Defender for Containers provides managed runtime protection.

Priority Order: Where to Start

1. RBAC audit - find and remove wildcard/cluster-admin bindings
2. Encryption at rest for Secrets or migrate to external secrets
3. Pod Security Standards at baseline level
4. Default-deny Network Policies in sensitive namespaces
5. Image scanning in CI/CD and admission control
6. Runtime detection (Falco or Defender for Containers)

Benchmark with kube-bench against the CIS Kubernetes Benchmark:

kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml
kubectl logs job/kube-bench