Here is a convenient checklist summary of the security protections to review

for securing Kubernetes deployments during run-time. This list does not cover

the build phase vulnerability scanning and registry protection requirements.

PRE-PRODUCTION

❏ Use namespaces

❏ Restrict Linux capabilities

❏ Enable SELinux

❏ Utilize Seccomp

❏ Configure Cgroups

❏ Use R/O Mounts

❏ Use a minimal Host OS

❏ Update system patches

❏ Conduct security auditing and compliance checks with CIS benchmark tests

RUN-TIME

❏ Enforce isolation by application / service

❏ Inspect network connections for application attacks

❏ Monitor containers for suspicious process or file system activity

❏ Protect worker nodes from host privilege escalations, suspicious processes or

file system activity

❏ Capture packets for security events

❏ Quarantine or remediate compromised containers

❏ Scan containers & hosts for vulnerabilities

❏ Alert, log, and respond in real-time to security incidents

❏ Conduct security auditing and compliance checks with CIS benchmark tests

KUBERNETES SYSTEM

❏ Review all RBACs

❏ Protect the API Server

❏ Restrict Kubelet permissions

❏ Secure external ports

❏ Whitelist non-authenticated services

❏ Limit/restrict console access

❏ Monitor system container connections and processes in production