What is Kubernetes security hardening?
Why Interviewers Ask This
This question targets practical, hands-on experience with Kubernetes (K8s). Interviewers want to see if you've worked with these concepts in real projects, not just read about them. Strong answers include concrete examples.
Answer
Kubernetes security hardening across multiple layers: 1. API Server security: enable RBAC (default in modern clusters); disable anonymous auth; restrict API server access (private endpoint, IP allowlist); enable audit logging; use mTLS for component communication. 2. Pod security: Pod Security Admission (PSA) — replaces deprecated PodSecurityPolicy. Three standards: Privileged (no restrictions), Baseline (minimum restrictions), Restricted (hardened). Apply per namespace: kubectl label namespace production pod-security.kubernetes.io/enforce=restricted; Restrict capabilities: securityContext: runAsNonRoot: true runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: [ALL]. 3. Network segmentation: NetworkPolicies for ingress/egress control; service mesh for mTLS; Cilium for L7 policies. 4. Image security: scan with Trivy, Snyk, or Clair in CI/CD; sign images with cosign; use digest pinning: image: my-app@sha256:abc123; use minimal base images (distroless); Admission Controllers: OPA Gatekeeper or Kyverno — enforce policies (no :latest tag, require resource limits, require labels, no privileged containers). 5. Secrets management: external secrets (AWS Secrets Manager, Vault) via External Secrets Operator or CSI Secrets Store Driver; encrypt etcd at rest; avoid env var secrets for very sensitive data (use volume mounts). 6. Runtime security: Falco — runtime threat detection (detect unexpected syscalls, container escapes, privilege escalation); Tetragon (eBPF-based, lower overhead). 7. Supply chain: SBOM generation; policy enforcement with Sigstore/cosign; dependency vulnerability scanning. CIS Kubernetes Benchmark: kube-bench tool checks cluster against CIS benchmarks.
Pro Tip
Back up your answer with a specific project or situation. Saying 'In my last Kubernetes (K8s) project, I used this when...' immediately makes your answer more credible and memorable.
Previous
What is Kubernetes GitOps with Argo CD or Flux?
Next
What is Kubernetes cluster upgrade strategy?