Kubernetes Security Checklist for Regulated Workloads

Introduction

Running regulated workloads on Kubernetes—whether subject to HIPAA, PCI-DSS, SOC 2, or other compliance frameworks—requires a comprehensive security strategy. Kubernetes provides many security primitives, but configuring them correctly and maintaining compliance across clusters is challenging.

This checklist maps Kubernetes security controls to common compliance requirements, providing a practical guide for security teams and platform engineers deploying regulated workloads.

Pod Security Standards

Pod Security Standards (PSS) replace the deprecated Pod Security Policies with three profiles: Privileged, Baseline, and Restricted. For regulated workloads, use Restricted or Baseline with additional policies.

Restricted Profile Requirements

• Containers must not run as root (runAsNonRoot: true)
• Read-only root filesystems (readOnlyRootFilesystem: true)
• Drop all capabilities and only add specific ones if needed
• Disallow privilege escalation (allowPrivilegeEscalation: false)
• Restrict volume types (no hostPath, hostNetwork, etc.)

Implementation

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted

RBAC and Access Control

Principle of Least Privilege

Implement Role-Based Access Control (RBAC) with minimal necessary permissions:

• Create namespaced Roles instead of ClusterRoles when possible
• Use RoleBindings to grant permissions to specific users or service accounts
• Avoid wildcard permissions (*) in production
• Regularly audit RBAC configurations for unused or excessive permissions

Service Account Security

• Create dedicated service accounts for each application
• Disable automatic mounting of default service account tokens
• Use token volume projection for short-lived tokens
• Implement OIDC integration for cloud provider authentication

Network Security

Network Policies

Network Policies enforce network segmentation and prevent lateral movement:

• Default deny-all ingress and egress policies
• Explicitly allow required communication between pods
• Restrict egress to external networks (use allowlists)
• Implement namespace-level isolation

Service Mesh

Consider Istio or Linkerd for advanced network security features:

• mTLS for service-to-service communication
• Traffic encryption and authentication
• Fine-grained access control policies
• Audit logging for compliance

Supply Chain Security

Image Scanning

Scan container images for vulnerabilities before deployment:

• Integrate scanning into CI/CD pipelines
• Use tools like Trivy, Snyk, or Clair
• Block deployments with critical vulnerabilities
• Maintain a vulnerability database and update regularly

Image Signing and Verification

Implement image signing with Cosign and verify signatures at admission time:

• Sign images during CI/CD build process
• Use Kubernetes admission controllers to verify signatures
• Reject unsigned or tampered images
• Maintain signing key security and rotation

SBOM Generation

Generate Software Bill of Materials (SBOM) for all container images to track dependencies and comply with supply chain security requirements.

Runtime Protection

Falco

Use Falco for runtime threat detection and response:

• Detect anomalous behavior and security violations
• Monitor system calls and file access
• Alert on policy violations
• Integrate with SIEM systems for compliance reporting

Admission Controllers

Use admission controllers to enforce policies before resources are created:

• OPA Gatekeeper for policy enforcement
• Kyverno for Kubernetes-native policies
• Pod Security Standards admission controller
• Image verification admission controllers

Secrets Management

External Secrets

Avoid storing secrets in Kubernetes Secrets (base64 encoded, not encrypted). Use external secret management:

• AWS Secrets Manager / Parameter Store
• Azure Key Vault
• HashiCorp Vault
• Google Secret Manager

Encryption at Rest

Enable encryption at rest for etcd and persistent volumes:

• Use encrypted storage classes
• Enable etcd encryption (where supported by managed services)
• Encrypt secrets in etcd using encryption configuration

Compliance Framework Mapping

HIPAA

• Encrypt data in transit (TLS/mTLS)
• Encrypt data at rest
• Implement access controls and audit logging
• Maintain audit trails for all access to PHI
• Regular security assessments

PCI-DSS

• Network segmentation (Network Policies)
• Strong access controls (RBAC)
• Regular vulnerability scanning
• Encryption of cardholder data
• Security monitoring and logging

SOC 2

• Access controls and authentication
• Change management processes
• Monitoring and alerting
• Incident response procedures
• Regular security assessments

Audit Logging

Enable comprehensive audit logging for compliance:

• Enable Kubernetes audit logging
• Log all API server requests
• Forward logs to centralized SIEM
• Retain logs according to compliance requirements
• Monitor for suspicious activities

Security Checklist Summary

Conclusion

Securing Kubernetes for regulated workloads requires a defense-in-depth approach combining pod security, network policies, supply chain security, and runtime protection. This checklist provides a starting point, but security is an ongoing process requiring regular assessment and updates.

Remember that compliance is not just about checking boxes—it's about implementing security controls that protect sensitive data and meet regulatory requirements. Work with your security and compliance teams to ensure your Kubernetes deployments meet all applicable standards.