Container and Kubernetes Security Best Practices

Container and Kubernetes security encompasses the policies, technical controls, and operational practices that govern the deployment, orchestration, and runtime behavior of containerized workloads. This page covers the structural components of container security, how Kubernetes-specific attack surfaces are managed, the scenarios in which container security controls become operationally critical, and the boundaries that distinguish this discipline from adjacent security domains such as cloud security and application security.

Definition and scope

Container security refers to the set of controls applied across the full lifecycle of a container image — from its base layer and build pipeline through registry storage, orchestration, and runtime execution. Kubernetes security extends that scope to include the orchestration platform itself: the API server, etcd key-value store, kubelet agents, role-based access control (RBAC) configurations, and network policies that govern inter-pod communication.

The scope distinction matters because containers and Kubernetes introduce at least 3 discrete threat surfaces that do not exist in traditional virtual machine environments:

1. Image supply chain — vulnerabilities embedded in base images or third-party packages before a container is ever deployed
2. Orchestration plane — misconfigurations in Kubernetes control plane components, including overly permissive RBAC bindings and exposed API endpoints
3. Runtime isolation — container escape vulnerabilities that allow processes to break out of the cgroup and namespace isolation provided by the Linux kernel

The National Institute of Standards and Technology addresses container security formally in NIST SP 800-190, Application Container Security Guide, which establishes a four-layer model: image risks, registry risks, orchestrator risks, and container risks. Federal civilian agencies subject to FISMA are expected to align container deployments with the controls enumerated in NIST SP 800-53, particularly the CM (Configuration Management) and SI (System and Information Integrity) control families.

Container and Kubernetes security intersects with DevSecOps practices, identity and access management, and vulnerability management, but maintains distinct tooling categories and threat models.

How it works

Container security controls operate across five sequential phases, each addressing a different exposure window:

1. Image hardening — Base images are scanned for known CVEs using tools that reference the NIST National Vulnerability Database (NVD). Minimal base images — such as distroless images that contain no shell or package manager — reduce the exploitable attack surface. Image signing via standards such as The Update Framework (TUF) and Notary v2 establishes cryptographic provenance.

2. Registry controls — Private registries enforce image pull policies that block unsigned or unscanned images from reaching production clusters. Access to push or pull images is governed through RBAC consistent with the principle of least privilege, aligned with guidance in NIST SP 800-190 §4.2.

3. Kubernetes RBAC and admission control — The Kubernetes API server authenticates every request. RBAC policies define which service accounts, users, or groups can perform which verbs (get, create, delete) on which resources. Admission controllers — particularly the built-in PodSecurity admission controller (which replaced the deprecated PodSecurityPolicy in Kubernetes 1.25) — enforce pod-level security standards: Privileged, Baseline, and Restricted profiles.

4. Network policies — Kubernetes NetworkPolicy objects define allowed ingress and egress traffic between pods and namespaces. Without explicit NetworkPolicy enforcement, all pods in a cluster can communicate with all other pods — a default that violates zero-trust principles documented in CISA's Zero Trust Maturity Model.

5. Runtime security monitoring — Runtime controls detect anomalous process execution, unexpected syscalls, or file system modifications inside running containers. The Linux kernel's seccomp (secure computing mode) and AppArmor profiles restrict the syscalls available to container processes, reducing the blast radius of a container compromise.

Secrets management represents a cross-cutting concern: Kubernetes Secrets objects are base64-encoded, not encrypted, by default. Encryption at rest for etcd — where Secrets are stored — requires explicit configuration and is governed by the provider's key management service.

Common scenarios

Container and Kubernetes security controls become operationally critical in at least 4 recurring operational scenarios:

Financial services and PCI DSS environments — Organizations processing cardholder data under PCI DSS v4.0 (published by the PCI Security Standards Council in 2022) must demonstrate that containerized payment applications meet network segmentation, access control, and logging requirements. Containers running card-processing workloads require namespace isolation, image integrity verification, and audit logging of API server activity.

Healthcare workloads and HIPAA — Container deployments handling protected health information (PHI) under 45 CFR Parts 160 and 164 must preserve data confidentiality and integrity controls equivalent to those in traditional environments. Encryption of etcd and Secrets at rest, combined with network policies that isolate PHI-handling pods, are standard control requirements.

Multi-tenant SaaS platforms — When a single Kubernetes cluster serves multiple customers, namespace isolation and RBAC misconfiguration become the primary breach vector. A cluster administrator binding a service account to the cluster-admin role — rather than a namespace-scoped role — exposes every tenant's workloads to that account's compromise.

CI/CD pipeline security — Build pipelines that construct and push container images represent a supply chain security risk. A compromised build stage can inject malicious layers into images that are subsequently deployed to production. Pipeline integrity controls include signed commits, hermetic builds, and SLSA (Supply-chain Levels for Software Artifacts) framework compliance, documented by the OpenSSF SLSA project.

Decision boundaries

Container and Kubernetes security is distinct from — but operationally connected to — adjacent disciplines. Understanding those boundaries determines which controls, tooling categories, and professional specializations apply.

Container security vs. VM security — Virtual machines provide hardware-level isolation through a hypervisor. Containers share the host OS kernel, making kernel vulnerability patching and seccomp/AppArmor profiles mandatory controls that have no direct VM equivalent. A CVE in the host kernel may affect all containers on that node simultaneously.

Kubernetes security vs. cloud infrastructure security — Kubernetes RBAC governs resources within the orchestration layer. Cloud IAM (e.g., AWS IAM, Azure AD, GCP IAM) governs access to the underlying infrastructure. Both layers require independent control — a Kubernetes namespace admin account does not automatically carry cloud-layer permissions, and vice versa. Cloud-native Kubernetes services (EKS, AKS, GKE) introduce managed control plane components where the cloud provider manages etcd and API server availability, but the customer retains responsibility for RBAC, network policies, and workload configuration.

Kubernetes security vs. service mesh security — Service meshes (such as Istio or Linkerd) provide mutual TLS (mTLS) between pods and traffic observability at Layer 7. This extends Kubernetes NetworkPolicy — which operates at Layer 3/4 — but does not replace it. Both operate within the zero-trust architecture model where no pod-to-pod communication is implicitly trusted.

Admission control vs. runtime security — Admission controllers enforce policy at the moment of resource creation and prevent non-compliant pods from being scheduled. Runtime security tools detect policy violations that occur after a pod is running — such as a shell spawned inside a production container or an unexpected outbound connection. The 2 controls are complementary, not substitutable.

Organizations assessing their posture across these boundaries typically reference the CIS Kubernetes Benchmark, published by the Center for Internet Security, which provides scored and unscored recommendations across API server configuration, etcd, kubelet settings, and pod security policies.

References

• NIST SP 800-190: Application Container Security Guide — National Institute of Standards and Technology
• NIST SP 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations — National Institute of Standards and Technology
• NIST National Vulnerability Database (NVD) — National Institute of Standards and Technology
• CISA Zero Trust Maturity Model — Cybersecurity and Infrastructure Security Agency
• CISA Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency
• CIS Kubernetes Benchmark — Center for Internet Security
• OpenSSF SLSA Framework — Open Source Security Foundation
• PCI DSS v4.0 — PCI Security Standards Council
• 45 CFR Parts 160 and 164 (HIPAA Security Rule) — U.S. Department of Health and Human Services