Containers and Kubernetes have transformed how applications get built and deployed, and they have introduced a fresh layer of security considerations that many organisations are still working through. Done well, container security is genuinely strong. Done badly, it produces large attack surfaces with weak boundaries.
Image Hygiene Comes First
Every container starts from an image, and every image carries the security posture of whatever it includes. Pulling images from public registries without verification, basing on outdated parents, including unnecessary packages, and storing secrets in image layers all introduce risk before the container even runs.
Runtime Privileges Often Run Wild
Containers can run with a wide range of privileges, from heavily restricted to essentially equivalent to the host kernel. Default configurations often grant more than necessary, including capabilities such as NET_ADMIN, SYS_ADMIN, or running as root inside the container.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
“The container findings I report most often involve excessive privileges granted by default and never reviewed. Pods running as root, containers with the host network, hostPath volumes that mount sensitive directories.”
Network Policies Are Often Missing
Kubernetes by default allows all pods to communicate with all other pods. Network policies provide segmentation, but they have to be defined explicitly. In many clusters, they remain unused, leaving lateral movement trivial once an attacker reaches any pod.
Secrets Management Needs Real Attention
Kubernetes secrets are base64 encoded, not encrypted by default. The data sits readable in etcd unless additional encryption at rest is configured. External secrets management, sealed secrets patterns, and tight RBAC around secret access all reduce exposure.
Cluster Components Themselves Are Targets
The Kubernetes API server, the kubelet, etcd, and the various controllers each represent attack surfaces in their own right. The official CIS benchmarks for Kubernetes provide a useful baseline, but production clusters benefit from configuration that goes beyond the minimum compliance bar.
Building a Sustainable Practice
Container security is not a one-off project. New images get published daily, vulnerabilities surface continuously, and clusters evolve with every deployment. Build scanning into the pipeline, runtime detection into the cluster, and periodic deeper review into the security calendar.
