5 Kubernetes Security Mistakes That Expose Your Cluster

ReleaseRun · Kubernetes Security 5 Kubernetes Security Mistakes That Expose Your Cluster Each one is on the OWASP Kubernetes Top 10. Each one is still common in 2026. Tap to start →

1 Mistake 1 / 5 Missing securityContext Without it, containers run as root with full Linux capabilities. A container escape gives an attacker root on the node. securityContext: runAsNonRoot: true runAsUser: 10001 allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] ✓ Add securityContext to every container spec

2 Mistake 2 / 5 ClusterRoleBinding to cluster-admin A service account with cluster-admin can read all secrets, modify any pod, and delete namespaces. One compromised pod = full cluster access. # Use namespace-scoped Role, not ClusterRole # Grant only the verbs your app actually needs: rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list"] # not "*" ✓ Principle of least privilege: scope everything

3 Mistake 3 / 5 Flat cluster networking With no NetworkPolicy, any pod can talk to any other pod. A compromised frontend can reach your database directly. Default-deny stops lateral movement. kind: NetworkPolicy spec: podSelector: {} policyTypes: ["Ingress", "Egress"] # Then whitelist only what needs to talk to what ✓ Start with default-deny in every namespace ⚠ Requires Calico/Cilium CNI — not Flannel

4 Mistake 4 / 5 Secrets leaked via kubectl describe Environment variables from Kubernetes Secrets appear in plain text in `kubectl describe pod`. Anyone with read access to pods sees your DB password. # Instead of env:, use envFrom with a mounted volume # Or: External Secrets Operator + Vault/AWS SM # At minimum: limit who can `kubectl describe pods` # in production namespaces ✓ Use ESO or Vault Agent sidecar injector

5 Mistake 5 / 5 No image signature verification Pulling images by digest prevents tag mutation attacks. Without Sigstore/Cosign and Kyverno policy, anyone who can push to your registry can ship malicious code. kind: ClusterPolicy # Kyverno spec: rules: - name: verify-image verifyImages: - imageReferences: ["registry.io/app/*"] attestors: - keyless: {subject: "ci@your-org.com"} ✓ Cosign sign + Kyverno verify in every pipeline

🔍 Check your K8s deprecated APIs Free tool that checks your Kubernetes manifests for deprecated and removed APIs before they break your next upgrade. Free K8s API Checker → K8s RBAC Reference Guide