The Fundamentals of Kubernetes Security

Cody Queen - April 17, 2024

What is Kubernetes security?

Kubernetes security is the application of techniques and processes to protect cloud-native applications running on Kubernetes (also known as K8s) from vulnerabilities or malicious actors.

Kubernetes is an open-source container orchestration platform designed to enhance the scalability and reliability of cloud-native applications. Its robust feature set and ease of integration have made it the go-to choice for small startups looking to compete in a global market and for large enterprises like Spotify and Major League Baseball that need to serve a worldwide audience.

However, unlocking the full potential of K8s requires reliance on containers and microservices operating in the cloud, which come with their own unique security considerations. Understanding the common Kubernetes security issues and overcoming their challenges is the first step toward enhancing an application’s overall cloud security posture.

Infographic: Improve Your Cloud Security Posture

Download this infographic to learn how you can improve your cloud security posture and compliance by addressing the most common cloud security challenges in multiple and hybrid clouds.

Download Now

Common Kubernetes security issues

A typical Kubernetes cluster is made up of:

  • The control plane: This is the brain of the K8s cluster. It exposes the cluster to the Kubernetes API, schedules resource allocation and provisioning, and responds to events within the cluster.
  • Nodes: This is where the work gets done within the K8s cluster, housing and manipulating data as the application demands. Nodes are made up of smaller individual pods that work in concert.

These two elements of the Kubernetes cluster make up a significant portion of the overall Kubernetes attack surface. The application itself can introduce additional security vulnerabilities through flawed code and out-of-date libraries. Additionally, Kubernetes’ host flexibility makes it a potential attack surface.

For example, if an organization deploys a Kubernetes cluster to the public cloud, it must be aware of any potential security vulnerabilities the platform is known for and limit access to the cluster as much as possible.

Understanding where these threats come from is vital to enhancing Kubernetes security. According to the CrowdStrike 2024 Global Threat Report, there was a 75% increase in cloud intrusions in 2023, forcing businesses to adapt their security stance to meet this increased threat.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

Common Kubernetes security issues include the following, and they must be addressed along with other common cloud security vulnerabilities:

  • Misconfigurations that bring security settings out of alignment or unintentionally expose sensitive information
  • Unsecured or unauthorized containers
  • Unauthorized access to the Kubernetes dashboard
  • Unauthorized access to API requests or network ports
  • Improper configuration of external tools
  • Improperly configured identity and access management policies

Kubernetes security incidents

Failure to properly secure K8s clusters and surrounding infrastructure can lead to devastating consequences for application data and operating revenue. The following are a few high-profile examples of recent Kubernetes security breaches.

  • February 2018: Hackers access an unsecured Kubernetes administration console in a car maker’s cloud accounts. Once they gained access, they installed malware to begin mining cryptocurrency within its infrastructure. The hack also exposed sensitive proprietary telemetry data.
  • July 2019: A firewall misconfiguration exposes a financial organization’s K8s clusters to the public internet, resulting in a breach that stole 30GB of credit application data.
  • August 2023: Researchers discover that K8s clusters belonging to over 350 organizations were unsecured and accessible to the public due to two misconfigurations. The list of organizations included large Fortune 500 companies as well as small businesses and individual projects.
  • January 2024: Researchers find that a misunderstanding of user access permission groups within Google Kubernetes Engine creates a security loophole that potentially exposes millions of containers to any user with a Google Account. A Nasdaq-listed company was named as one of the organizations exposed by this misconfiguration.

Kubernetes security posture management fundamentals

Developers must consider the entire Kubernetes life cycle when attempting to bolster the security posture of cloud-native applications. There are two main areas to consider:

  • Before the Kubernetes cluster: As Kubernetes relies on container images, you must ensure the containers are secure before they enter the cluster. Making image scanning a part of the continuous integration/continuous delivery (CI/CD) pipeline ensures that containers are properly configured and updated with the latest security patches and won’t introduce malware or other security vulnerabilities into the K8s cluster.
  • Inside the Kubernetes cluster: Several areas within the cluster must be secured to mitigate the risk of malicious activity or unintentional data exposure.
    • The control plane: Control plane resources are stored in etcd, so access to etcd should only be available via the Kubernetes API with the proper permissions.
    • The Kubernetes API: The API is the method external users will employ to access the control plane, so limiting access to authorized users is vital. Use OpenID Connect (OIDC) providers to secure K8s cluster access and use role-based access control (RBAC) to designate access control specifications for every Kubernetes object and namespace. You can also employ Kubernetes admission controllers to monitor and regulate requests aimed at the Kubernetes API server to ensure unauthorized API calls don’t make it into your K8s cluster.
    • Networking: Configuring network policies will allow Kubernetes to create firewalls that protect unauthorized access or data transfer between pods.
    • Nodes: Kubelets send communications between the control plane and the container engine that powers the workload within the nodes. Effectively securing kubelets requires configuring and monitoring the communication between the Kubernetes API and the kubelet and communication between the kubelet and the container engine.
    • The container and runtime: Vulnerabilities such as misconfigurations, zero-day exploits, privilege escalations, and malware can appear in deployed containers. Implementing Kubernetes security tools like CrowdStrike Falcon® Cloud Security ensures all aspects of the container are monitored and secured as it is deployed.

In addition to securing the K8s life cycle, collecting and maintaining Kubernetes logs will allow you to troubleshoot performance bottlenecks, identify security gaps, and investigate breaches if they occur. Using CrowdStrike® Falcon Next-Gen SIEM will significantly improve visibility into your Kubernetes clusters and enhance your ability to respond to incidents.

Learn More

Explore the complete Kubernetes Logging Guide series:

Kubernetes security tools

Some of the most common Kubernetes security tools include:

Falcon Cloud SecurityFalcon Cloud Security provides comprehensive security capabilities for Kubernetes environments, helping organizations protect their containerized workloads, detect and respond to threats effectively, and maintain compliance with regulatory requirements.
FalcoFalco is an open-source Kubernetes security tool originally designed by Sysdig to detect abnormal behavior in containerized applications. It uses runtime metrics and system calls to identify potential security threats, providing real-time alerts and visibility into Kubernetes clusters.
Falcon SidekickFalco Sidekick is an open-source companion tool for Falco that extends its capabilities for handling alerts and notifications. It integrates with various communication channels, such as Slack and email, to provide real-time alerts and notifications for security events detected by Falco.
Kubernetes CIS BenchmarjCIS Benchmarks provide guidelines for securing Kubernetes deployments. Various open-source tools, such as kube-bench, can automate the assessment of Kubernetes clusters against these benchmarks, helping to ensure compliance and adherence to security best practices.
Kube-hunterKube-hunter is an open-source penetration testing tool specifically designed for Kubernetes environments. It identifies potential security vulnerabilities and misconfigurations within Kubernetes clusters, helping organizations proactively address security risks.
Kube-BenchKube-bench is an open-source tool that checks Kubernetes deployments against the CIS Kubernetes Benchmark. It automates the process of benchmark checks, providing organizations with insights into potential security misconfigurations and areas for improvement.
KyvernoKyverno is an open-source Kubernetes-native policy engine used for enforcing security policies and best practices. It allows organizations to define and enforce policies across Kubernetes resources, ensuring compliance, security, and operational consistency within the cluster.
OPA/GatekeeperOpen Policy Agent (OPA) with Gatekeeper is an open-source policy enforcement engine for Kubernetes. It enables organizations to define and enforce policies for resource configurations and access control, ensuring compliance and security across Kubernetes deployments.

How CrowdStrike can help

Kubernetes offers robust scalability and processing capabilities, but its complexity brings numerous challenges to improving security. Even a simple misconfiguration can accidentally expose sensitive data to the public, so developers must monitor all aspects of the K8s life cycle for potential vulnerabilities.

Kubernetes is also an extremely flexible platform, allowing third-party integration with tools that will enhance your security posture through automated scanning and alert mechanisms. Integrating Kubernetes security tools that run alongside your K8s workloads is crucial to maximizing security.

CrowdStrike Falcon® Cloud Security delivers containers, Kubernetes, and host protection from build to runtime in AWS, Azure, and Google Cloud while ensuring security in every step of the CI/CD pipeline.

Expert Tip

Check your cloud health and learn how Falcon Cloud Security secures containers and Kubernetes from code to runtime Cloud Security at the Speed of DevOps


Senior Product Marketing Manager, Cloud Security, CrowdStrike