The CIS-aligned Kubernetes security baseline we ship on day one

Most Kubernetes clusters in production weren't hardened — they were deployed. Default settings, default service account permissions, no admission policies, no network policies, no audit log. They work. They also pass a basic pen test in about 12 minutes.

This is the security baseline we ship on day one for every cluster we manage. CIS Kubernetes Benchmark aligned, but pragmatic.

Pod Security Standards in restricted mode

apiVersion: v1
kind: Namespace
metadata:
  name: workloads
  labels:
    pod-security.kubernetes.io/enforce: "restricted"
    pod-security.kubernetes.io/audit: "restricted"
    pod-security.kubernetes.io/warn: "restricted"

restricted rejects pods that run as root, allow privilege escalation, use host networking, or skip seccompProfile: RuntimeDefault. For the small minority of workloads that need elevated privileges (a CSI driver, a CNI agent) we put them in a separate namespace with the privileged profile and treat that namespace's contents as part of the cluster TCB.

The full write-up covers:

• Kyverno policies as code — and why we prefer it over OPA Gatekeeper
• Required image signatures verified at admission time via Cosign keyless
• Default-deny NetworkPolicies — the opt-in connectivity model
• Audit policy: capture everything important, alert on the right things
• ServiceAccount tokens: disabling default auto-mounting, purpose-specific SAs
• etcd encryption at rest with proper key rotation

We deploy this baseline on day one for every managed Kubernetes customer.