Container Security

EKS, AKS, GKE — securing managed Kubernetes and cloud-native container deployments

Cloud Security: AWS Security Azure Security GCP Security Multi-Cloud Container Security Serverless Security
← Multi-Cloud Serverless Security →
⏱ 9 min read 📊 Intermediate 🗓 Updated Jan 2025

☕ Managed Kubernetes Security Model

EKS, AKS, and GKE shift control plane management to the cloud provider — patching, etcd backups, and API server availability are handled for you. But the customer responsibility footprint remains substantial: node group OS hardening, workload security, RBAC configuration, and network policy enforcement are all yours.

FeatureEKS (AWS)AKS (Azure)GKE (GCP)
Control Plane Access Private endpoint or public with IP allowlist; API server logs to CloudWatch Private cluster option; API server authorized IP ranges; Microsoft-managed Private cluster option; Master Authorized Networks; Google-managed; GKE Autopilot option
RBAC Defaults RBAC enabled; maps to AWS IAM via aws-auth ConfigMap (now Access Entries API) RBAC enabled; Entra ID integration for Azure RBAC; local accounts can be disabled RBAC enabled; Google Groups for RBAC; Workload Identity built-in; Autopilot restricts further
Node Auto-Upgrade Managed node groups support; requires opt-in; launch templates complicate it Auto-upgrade channels (stable, rapid, patch); maintenance windows configurable Auto-upgrade enabled by default; release channels (stable, regular, rapid)
Built-in Monitoring CloudWatch Container Insights; GuardDuty for EKS; optional Azure Monitor for containers; Defender for Containers; Microsoft Sentinel integration Cloud Monitoring integration; Container Threat Detection (SCC Premium); native eBPF-based

🔒 Kubernetes RBAC & Pod Security

Kubernetes RBAC and Pod Security are the two primary mechanisms for enforcing least privilege in a cluster. Misconfigured RBAC — especially wildcard permissions or cluster-admin bindings for application service accounts — is the most common Kubernetes security finding.

RBAC Design Principles

  • Never bind cluster-admin to application service accounts
  • Use namespace-scoped Roles rather than ClusterRoles where possible
  • Create dedicated service accounts per workload (never use default SA)
  • Disable service account token auto-mounting for pods that don't need it
  • Audit RBAC with tools: kubectl-who-can, rakkess, rbac-lookup
  • Use kubectl auth can-i --list to review effective permissions

Pod Security Standards

Pod Security Standards (PSS) replaced PodSecurityPolicy in Kubernetes 1.25. They define three profiles enforced by a built-in admission controller.

  • Privileged: unrestricted — only for system components
  • Baseline: prevents known privilege escalations; reasonable for most workloads
  • Restricted: hardened; requires runAsNonRoot, drops all capabilities, enforces seccomp
  • Apply via namespace labels: pod-security.kubernetes.io/enforce: restricted
  • OPA/Gatekeeper and Kyverno extend PSS with custom policy logic

Secure Pod Spec Example

apiVersion: v1
kind: Pod
metadata:
  name: secure-app
  namespace: production
spec:
  serviceAccountName: app-service-account
  automountServiceAccountToken: false  # Disable if pod doesn't call K8s API
  securityContext:
    runAsNonRoot: true
    runAsUser: 10001
    runAsGroup: 10001
    fsGroup: 10001
    seccompProfile:
      type: RuntimeDefault  # Apply seccomp filtering at pod level
  containers:
  - name: app
    image: registry.example.com/myapp:v1.2.3@sha256:abc123...  # Pin by digest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL       # Drop all Linux capabilities
        add:
          - NET_BIND_SERVICE  # Add back only what's needed
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
      requests:
        cpu: "100m"
        memory: "128Mi"
    volumeMounts:
    - name: tmp-dir
      mountPath: /tmp  # Writable /tmp since rootfs is read-only
  volumes:
  - name: tmp-dir
    emptyDir: {}

📷 Container Image Security in Cloud

Securing the container supply chain begins at the registry. Cloud-native container registries provide vulnerability scanning, image signing, and policy enforcement to ensure only trusted, vulnerability-free images reach production clusters. Supply chain attacks (SolarWinds, XZ Utils) have made image provenance a top-tier security concern.

Cloud Registry Security

  • AWS ECR: Enhanced Scanning via Inspector v2 (Snyk-powered); scan on push; OS + language packages
  • Azure ACR: Microsoft Defender for Containers; scans both on push and continuously for new CVEs
  • GCP Artifact Registry: Artifact Analysis (On-Demand Scanning); continuous scanning with new CVE database updates
  • Enable scan-on-push policies — block deployments if critical CVEs present
  • Enforce tag immutability — prevent tag reassignment that can slip bad images through

Image Signing & Supply Chain

  • Sigstore/Cosign: open standard for keyless image signing using OIDC identity; growing adoption
  • Notary v2: CNCF standard for signing OCI artifacts; used by AWS Signer integration
  • SLSA framework: supply chain levels for software artifacts — provenance attestation
  • SBOM (Software Bill of Materials): generate and attest SBOMs in CI; Syft + Grype
  • Scan third-party base images before using; prefer distroless or scratch-based images
  • Dependency pinning: pin base image digests in Dockerfiles, not floating tags

🌐 Kubernetes Networking Security

By default, Kubernetes allows unrestricted pod-to-pod communication — any pod can reach any other pod in the cluster. NetworkPolicy resources enforce traffic segmentation at the pod level, while service meshes add mutual TLS authentication for east-west traffic between microservices.

NetworkPolicy Best Practices

  • Start with a default-deny-all policy in every namespace
  • Allow traffic only on required ports between specific pod selectors
  • Separate ingress and egress policies; don't forget DNS (UDP/TCP 53 to CoreDNS)
  • Use Cilium or Calico for NetworkPolicy enforcement (CNI must support it)
  • Cilium: eBPF-based; supports L7 HTTP/gRPC policy rules beyond IP/port
  • Test policies with kubectl-netpol or Inspektor Gadget

Service Mesh Security (Istio)

A service mesh provides automatic mutual TLS (mTLS) between all microservices, eliminating the need for applications to implement transport security themselves.

  • mTLS: both sides present certificates — prevents impersonation between services
  • PeerAuthentication: enforce STRICT mTLS in a namespace
  • AuthorizationPolicy: allow only specific service accounts to call specific methods
  • Envoy sidecar handles all traffic — transparent to application code
  • Ambient mode (Istio 1.18+): eBPF-based, no sidecar injection needed

Cloud-Specific CNI Features

  • AWS VPC CNI: security groups for pods — apply EC2 security groups directly to individual pods
  • AKS Azure CNI: pods get VNet IPs; Azure NSGs apply to pod traffic natively
  • GKE Dataplane V2: eBPF-based with built-in NetworkPolicy enforcement via Cilium
  • Private cluster API servers: no public endpoint for the Kubernetes API
  • Use Private Service Connect / PrivateLink for Ingress without public IPs

🔐 Secrets & Runtime Security

Kubernetes Secrets are a persistent source of risk. They are base64-encoded (not encrypted) in etcd by default, and any pod with the right RBAC can read them. Runtime security tools like Falco detect suspicious behavior inside running containers — the last line of defense when everything else fails.

Secrets Management

  • Enable etcd encryption at rest using the Kubernetes EncryptionConfiguration API
  • External Secrets Operator (ESO): syncs from Vault, AWS SSM/Secrets Manager, Azure Key Vault, GCP Secret Manager into K8s Secrets
  • Secrets Store CSI Driver: mount secrets from external vaults as files without creating K8s Secret objects
  • Avoid storing secrets in ConfigMaps, environment variables, or Docker images
  • Rotate secrets automatically; ESO handles sync on rotation

Falco Runtime Security

Falco is the de facto standard for Kubernetes runtime threat detection. It uses eBPF or kernel module to observe system calls and generates alerts when container behavior deviates from expected patterns.

  • Detects: shell spawned in container, write to /etc, network tool execution
  • Container drift: execution of a binary not present in the original image
  • Privilege escalation attempts, sensitive file reads, outbound C2 connections
  • Falcosidekick: route alerts to Slack, PagerDuty, SIEM, S3
  • Talon (Falco response engine): auto-kill offending pods on rule match

Cloud-Native Runtime Detection

  • GuardDuty for EKS: analyzes EKS audit logs and runtime activity for K8s-specific threats
  • Microsoft Defender for Containers: integrates with AKS for runtime threat detection + image scanning
  • GCP Container Threat Detection: eBPF-based; detects added binary executed, reverse shell, cryptocurrency mining
  • These managed services require no Falco deployment — useful as baseline or complement

etcd Encryption Configuration

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
      - configmaps
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: <base64-encoded-32-byte-key>
      - identity: {}

Kubernetes Secrets Are Not Encrypted by Default

In most managed Kubernetes clusters — including EKS and AKS — etcd is not configured with an encryption provider by default. This means Kubernetes Secrets are stored as base64-encoded plaintext in etcd. Anyone with etcd access (or an etcd backup file) can read all cluster secrets. Enable the EncryptionConfiguration with a KMS provider (AWS KMS, Azure Key Vault, GCP KMS) to encrypt secrets at rest in etcd.

EKS AKS GKE RBAC Pod Security Falco NetworkPolicy Sigstore ESO
← Multi-Cloud Serverless Security →