What is Kubernetes security hardening?

Answer

Kubernetes security hardening across multiple layers: 1. API Server security: enable RBAC (default in modern clusters); disable anonymous auth; restrict API server access (private endpoint, IP allowlist); enable audit logging; use mTLS for component communication. 2. Pod security: Pod Security Admission (PSA) — replaces deprecated PodSecurityPolicy. Three standards: Privileged (no restrictions), Baseline (minimum restrictions), Restricted (hardened). Apply per namespace: kubectl label namespace production pod-security.kubernetes.io/enforce=restricted; Restrict capabilities: securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: [ALL]. 3. Network segmentation: NetworkPolicies for ingress/egress control; service mesh for mTLS; Cilium for L7 policies. 4. Image security: scan with Trivy, Snyk, or Clair in CI/CD; sign images with cosign; use digest pinning: image: my-app@sha256:abc123; use minimal base images (distroless); Admission Controllers: OPA Gatekeeper or Kyverno — enforce policies (no :latest tag, require resource limits, require labels, no privileged containers). 5. Secrets management: external secrets (AWS Secrets Manager, Vault) via External Secrets Operator or CSI Secrets Store Driver; encrypt etcd at rest; avoid env var secrets for very sensitive data (use volume mounts). 6. Runtime security: Falco — runtime threat detection (detect unexpected syscalls, container escapes, privilege escalation); Tetragon (eBPF-based, lower overhead). 7. Supply chain: SBOM generation; policy enforcement with Sigstore/cosign; dependency vulnerability scanning. CIS Kubernetes Benchmark: kube-bench tool checks cluster against CIS benchmarks.