Securely Setting Up a Kubernetes Cluster

By Deji Saliu
May 31, 2026

Kubernetes can accelerate application delivery, but misconfigurations lead to serious security risks. Follow these best practices to build a hardened cluster from the ground up.

1. Choose a Secure Deployment Method

You have three main options:

Managed Kubernetes (EKS, GKE, AKS): Cloud providers handle control plane security and upgrades.
Kubeadm: Official tool to bootstrap clusters on your own VMs.
kOps / Kubespray: Infrastructure-as-code solutions for production-grade clusters.

DIY Recommendation: Start with kubeadm on hardened VMs to learn core components.

2. Secure the Host OS

Before installing Kubernetes, lock down your nodes:

Use a Minimal OS: Ubuntu LTS or CentOS Stream with only the required packages.

Enable Automatic Security Updates:

# Ubuntu: unattended-upgrades

sudo apt-get install unattended-upgrades

sudo dpkg-reconfigure –priority=low unattended-upgrades

Disable Unused Services: e.g., swap, cloud-init, and unnecessary daemons.

Kernel Hardening:

cat <<EOF | sudo tee /etc/sysctl.d/99-k8s.conf

net.ipv4.ip_forward = 1

net.bridge.bridge-nf-call-iptables = 1

fs.protected_regular = 1

fs.protected_fifos = 1

EOF

sudo sysctl --system

Install a Host‑Based Firewall: UFW or firewalld to restrict traffic to required ports (6443, 2379–2380, 10250, etc.).

3. Initialise the Control Plane with kubeadm

Install kubeadm, kubelet, kubectl on all nodes citeturn0search1:

sudo apt-get update && sudo apt-get install -y \

apt-transport-https ca-certificates curl

curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list

sudo apt-get update

sudo apt-get install -y kubelet kubeadm kubectl

sudo apt-mark hold kubelet kubeadm kubectl

Generate a strong token and certificate key for cluster join:

kubeadm init --pod-network-cidr=10.244.0.0/16 \

--token-ttl=24h \

--upload-certs

Secure the kube‑config file:

mkdir -p $HOME/.kube

sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

sudo chown $(id -u):$(id -g) $HOME/.kube/config

chmod 600 $HOME/.kube/config

4. Harden the Control Plane

Enable Audit Logging:

# /etc/kubernetes/audit-policy.yaml

apiVersion: audit.k8s.io/v1

kind: Policy

rules:

– level: Metadata

resources:

– group: “”

resources: ["pods","secrets","configmaps"]

# kube-apiserver manifest (/etc/kubernetes/manifests/kube-apiserver.yaml)

- --audit-policy-file=/etc/kubernetes/audit-policy.yaml

- --audit-log-path=/var/log/kubernetes/audit.log

- --audit-log-maxage=30

Enable Encryption at Rest for Secrets:

# /etc/kubernetes/encryption-config.yaml

apiVersion: apiserver.config.k8s.io/v1

kind: EncryptionConfiguration

resources:

– resources:

– secrets

providers:

– aescbc:

keys:

- name: key1

secret: <base64-encoded-32-byte-key>

– identity: {}

Add --encryption-provider-config=/etc/kubernetes/encryption-config.yaml to kube-apiserver args.
Restrict API Server Access: Use network policies or a firewall to allow only trusted IPs.

5. Deploy a Network Plugin with Policy Enforcement

Install a CNI that supports NetworkPolicies, e.g., Calico:

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

Then enforce a default‑deny policy:

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

namespace: default

spec:

podSelector: {}

policyTypes:

– Ingress

– Egress

6. Configure RBAC and Pod Security Standards

a. RBAC

Disable anonymous access: ensure –anonymous-auth=false on kube-apiserver.
Create least‑privilege Roles and bind to service accounts:

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

namespace: production

rules:

– apiGroups: [“”]

resources: [“pods”]

verbs: [“get”,”watch”,”list”]

—

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

namespace: production

subjects:

– kind: User

apiGroup: rbac.authorization.k8s.io

roleRef:

kind: Role

name: pod-reader

apiGroup: rbac.authorization.k8s.io

b. Pod Security Admission

Use built‑in PodSecurity admission (Kubernetes v1.25+):

kubectl label namespace production pod-security.kubernetes.io/enforce=restricted

7. Secure Container Images & Supply Chain

Use a Private Registry with vulnerability scanning (e.g., Harbor).

Enforce Image Signing with Sigstore/Cosign:

cosign sign --key cosign.key myregistry/myapp:latest

Block “latest” tags and unscanned images via an admission controller (OPA/Gatekeeper).

8. Deploy Monitoring & Intrusion Detection

Prometheus & Grafana for metrics and dashboards.

Falco for runtime intrusion detection:

helm repo add falcosecurity https://falcosecurity.github.io/charts

helm install falco falcosecurity/falco

Kube-bench and kube-hunter for periodic security assessments.

9. Enable Logging & Audit Collection

Centralise Logs: forward kube‑apiserver, kubelet, and container logs to ELK or a managed logging service.
Ship Audit Logs from /var/log/kubernetes/audit.log via Fluentd or Filebeat.

10. Regular Maintenance & Updates

Rotate Certificates & Tokens every 90 days.
Upgrade Kubernetes to the latest patch release within 30 days of publication.
Re-run CIS Benchmarks quarterly and remediate failures.