Securing Kubernetes clusters is paramount in today’s cloud-native landscape. Misconfigurations or oversight can create significant vulnerabilities, leading to data breaches or system compromise. This article outlines 12 critical security best practices designed to harden your Kubernetes deployments, services, and overall cluster environment. By implementing these measures, you can significantly reduce your attack surface and enhance the resilience of your applications.
12 Kubernetes Hardening Best Practices
1. Employ Non-Root Containers
A fundamental security principle is to run containers with the least privilege possible. By default, containers often execute as the root user (UID 0) within the container. If an attacker compromises such a container, they gain root privileges, potentially enabling a container escape to the host or broader impact.
To mitigate this, configure your containers to run as an unprivileged user. You can achieve this by defining a dedicated user in your container image (many official images already provide non-root users like node or nginx). Alternatively, Kubernetes’ securityContext allows you to enforce this with runAsUser and runAsNonRoot: true. The latter ensures the container will not even start if it attempts to run as UID 0, acting as a crucial safeguard.
Example Configuration:
securityContext:
runAsUser: 1000 # Example: UID 1000 for a non-root user
runAsNonRoot: true # Ensures the container cannot start as root
Running as non-root establishes an additional layer of defense. Even if a breach occurs, the attacker is contained within a lower-privileged user environment, making privilege escalation significantly more challenging.
2. Avoid Privileged Containers
Running containers in privileged mode (securityContext.privileged: true) should be an absolute last resort, and ideally, never used for application workloads. A privileged container essentially bypasses most of the isolation mechanisms inherent to containers, granting it nearly the same access to the host as a root process running directly on the node.
This mode allows a container to access host devices, share host namespaces (IPC, PID), and disables crucial security controls like seccomp and AppArmor. In essence, a privileged container becomes indistinguishable from a root process on the host. If compromised, it can trivially take over the node and potentially spread across the cluster.
Kubernetes’ baseline security policies typically prohibit privileged containers for general applications. For specialized infrastructure components that truly require elevated access (e.g., certain CSI drivers or networking plugins), alternatives like specific capabilities or daemon-based deployments should be explored first.
3. Eschew HostPath Volumes
hostPath volumes directly mount a file or directory from the host node’s filesystem into a pod. This practice fundamentally undermines container isolation and poses significant security risks. A compromised container with hostPath access could read, modify, or even execute critical files on the host, leading to container escapes or system tampering.
For instance, mounting /var/run/docker.sock provides control over the Docker daemon, effectively granting root on the host. Even seemingly benign mounts like /var/log could allow malicious activity such as log poisoning or resource exhaustion.
The Pod Security “Restricted” standard explicitly forbids hostPath volumes. For persistent storage, leverage PersistentVolumeClaims (PVCs). For configuration, use ConfigMaps or Secrets. For temporary scratch space, emptyDir is appropriate. If hostPath is truly unavoidable (e.g., for specific system agents), make it read-only and limit the path as much as possible, deploying it with minimal other privileges.
Example to avoid:
volumes:
- name: host-files
hostPath:
path: /etc
type: Directory
4. Do Not Use hostPort
The hostPort setting exposes a specific port on the Kubernetes node directly to a container within a pod. While it might seem convenient for external access, it’s a risky practice that diminishes network isolation. A container bound to a hostPort can intercept traffic intended for the host or exploit vulnerabilities to gain deeper access to the node’s network stack.
Furthermore, hostPort creates scheduling constraints, as only one pod per node can use a given host port, leading to potential conflicts.
For external service exposure, Kubernetes Services (NodePort or LoadBalancer types) or Ingress resources are the preferred and more secure methods. They abstract network routing and avoid direct host port binding. Reserve hostPort for very specific, low-level system pods that genuinely require direct host network interaction, and use it with extreme caution.
Example to avoid:
ports:
- containerPort: 80
hostPort: 80
5. Avoid Sharing Host Namespaces
Pods can be configured to share host namespaces, specifically for network, PID (process), and IPC (inter-process communication). While this can be useful for certain system-level utilities, it shatters the isolation barrier between the container and the host.
hostNetwork: true: The pod directly uses the host’s network interface, allowing it to see and potentially sniff all host network traffic.hostPID: true: The container shares the host’s process ID space, enabling it to see and interact with all processes on the host. This can be used for information gathering or tampering.hostIPC: true: The pod shares the host’s inter-process communication namespace, potentially allowing access to shared memory segments used by host processes.
Sharing host namespaces significantly increases the risk of container escape and compromise. Unless you are deploying a dedicated system daemon (like a monitoring agent) that requires this level of access, these fields should be left as their default (false or unset). Kubernetes Pod Security Standards (Baseline and Restricted profiles) explicitly disallow sharing host namespaces for general workloads.
Example to avoid:
spec:
hostNetwork: true
hostPID: true
hostIPC: true
6. Drop Insecure Capabilities
Linux capabilities provide fine-grained permissions that a root user inside a container can possess. By default, containers run with a limited set of capabilities. However, explicitly adding powerful capabilities (e.g., SYS_ADMIN, NET_ADMIN) is dangerous, as they can enable container escapes or privilege escalation on the node.
The principle of least privilege dictates that you should drop all unnecessary capabilities and only add back what is strictly required. Kubernetes allows you to specify this in the securityContext.
Best Practice Example:
securityContext:
capabilities:
drop: ["ALL"]
add: ["NET_BIND_SERVICE"] # Example: allows binding to ports below 1024
The Kubernetes “Restricted” policy profile mandates dropping all capabilities and, at most, adding only a very limited, safe set. Many common web applications do not require any special Linux capabilities. Avoid adding capabilities like NET_RAW (packet manipulation) or SYS_ADMIN (broad system administration) which are easily abused.
7. Maintain AppArmor Profile Defaults
AppArmor is a Linux kernel security module that restricts what a container can do at the system level (e.g., file access, network access, capabilities). On AppArmor-enabled hosts, Kubernetes applies a runtime/default profile, which provides essential protections.
Running a pod with an unconfined AppArmor profile effectively disables these protections, increasing the potential damage if the container is compromised. It removes all AppArmor confinement, making it a significant security misconfiguration.
The best practice is to omit AppArmor annotations to allow the default profile to be applied, or explicitly set container.apparmor.security.beta.kubernetes.io/<container-name>: runtime/default. Never set it to unconfined. Kubernetes Pod Security policies recommend adhering to runtime defaults or specific allowed profiles.
Example to avoid:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/my-container: unconfined
8. Do Not Override Non-Default /proc Mount
The /proc filesystem in Linux exposes process and kernel information. Container runtimes by default mask or hide certain sensitive paths within /proc to prevent containers from accessing host-specific details. Kubernetes’ procMount setting in the security context can be Default (the secure, masked behavior) or Unmasked.
Using procMount: Unmasked for your containers is strongly discouraged. An unmasked /proc can expose a wealth of host information, potentially leading to information leakage or aiding attackers in escalating privileges (e.g., by revealing host processes or allowing access to /proc/kcore).
The best practice is to always leave procMount as Default, which is also the behavior if you don’t specify it. The Pod Security “Restricted” standard requires that the /proc mask remains at its default for all containers.
Example to avoid:
securityContext:
procMount: Unmasked
9. Restrict Volume Types
Kubernetes supports various volume types, but not all offer the same level of security. Some can inadvertently expose your pod to risk. The Pod Security “Restricted” standard defines an allow-list of safe volume types, which typically do not directly mount the host’s filesystem in an insecure manner.
Allowed volume types include: ConfigMap, CSI, DownwardAPI, emptyDir, Ephemeral, PersistentVolumeClaim, Projected, and Secret. Volume types not on this list (e.g., hostPath, NFS, awsElasticBlockStore directly in a pod spec) are either inherently risky or should be managed through higher-level abstractions like PersistentVolumeClaims.
For example, hostPath volumes directly expose host directories (as discussed in point 3). Direct NFS mounts, while potentially less risky than hostPath, are better managed through the PersistentVolume subsystem to ensure proper isolation and security controls.
Always prefer using PersistentVolumeClaims (with appropriate StorageClasses) for persistent storage and ConfigMap/Secret for configuration. If your cluster uses the Pod Security Admission controller in restricted mode, it will automatically prevent pods from using disallowed volume types.
10. Avoid Custom SELinux Options
SELinux is a powerful Linux kernel security module that provides Mandatory Access Control (MAC) by labeling resources and defining access policies. By default, Kubernetes allows the container runtime to apply a default, confined SELinux context (e.g., container_t) to your containers.
Overriding this default SELinux context via the seLinuxOptions field in the securityContext can weaken isolation if done incorrectly. Altering SELinux labels to something more privileged (e.g., spc_t for super-privileged containers) or running with SELinux in permissive mode on the host could allow a compromised container to escape and access host files it shouldn’t.
The Kubernetes Pod Security Standards restrict SELinux options. The “Restricted” profile forbids custom SELinux users or roles and only allows specific, standard container types. Unless you have deep expertise in SELinux and a very specific, validated security requirement, you should generally omit seLinuxOptions and rely on the container runtime’s defaults.
Example to avoid:
securityContext:
seLinuxOptions:
user: system_u
role: system_r
type: spc_t # A highly privileged type, generally not recommended
11. Enable Seccomp Profile (RuntimeDefault)
Seccomp (secure computing mode) is a Linux kernel feature that filters system calls a process can make. While older runtimes might have defaulted to “unconfined” (no syscall filtering), newer Kubernetes versions and runtimes typically apply a default seccomp profile. Regardless, ensuring seccomp filtering is active is a critical defense.
Running a container with seccompProfile: type: Unconfined means it can make any system call it desires, significantly broadening the attack surface. The default seccomp profile, conversely, blocks numerous dangerous syscalls that applications rarely need (e.g., kernel module manipulation), which are often exploited in container breakouts.
The best practice is to explicitly set seccompProfile: type: RuntimeDefault or use a specific custom profile if you have one. The Kubernetes “Restricted” policy requires seccomp to be explicitly set to RuntimeDefault or a named profile, rather than Unconfined. This transparently adds a robust layer of defense against kernel vulnerabilities with minimal to no performance impact.
Example to avoid:
securityContext:
seccompProfile:
type: Unconfined
12. Exercise Caution with Unsafe Sysctls
Sysctls (system controls) are kernel parameters that allow dynamic modification of network, memory, and other system settings. Kubernetes categorizes sysctls as safe or unsafe. Safe sysctls are namespaced to the container or pod, meaning their effects are isolated. Unsafe sysctls, however, apply to the entire host kernel, potentially affecting all pods, compromising stability, or creating security vulnerabilities.
Enabling unsafe sysctls can disable crucial security mechanisms, negatively impact node stability, allow resource overconsumption, or even lead to kernel panics or privilege escalation. Kubernetes prevents pods from using unsafe sysctls by default unless explicitly allowed by a cluster administrator.
Stick to safe sysctls (e.g., net.ipv4.ip_local_port_range). The Pod Security Standards recommend disallowing all but an allowed safe subset of sysctls. If an application truly requires a specific kernel parameter, first verify if it’s namespaced and safe. If an unsafe sysctl is deemed absolutely necessary for a specialized workload, it requires careful cluster-level configuration and the workload should be highly isolated. For general applications, rely on default kernel settings.
Example to avoid:
securityContext:
sysctls:
- name: kernel.shmmax
value: "16777216"
(Note: kernel.shmmax is an unsafe sysctl as it affects the host kernel globally, not just the pod.)
Your Kubernetes Security Action Plan
By diligently applying these 12 Kubernetes security best practices, you can dramatically strengthen the security posture of your cluster. The overarching theme is the principle of least privilege: granting your pods only the precise access and capabilities they genuinely require to function, and nothing more.
Integrating these security checks into your development lifecycle and CI/CD pipelines is crucial for maintaining a hardened environment. Regular audits and adherence to community best practices will ensure your Kubernetes clusters remain secure against evolving threats.