Containers and Kubernetes have transformed how applications get built and deployed, and they have introduced a fresh layer of security considerations that many organisations are still working through. The fundamentals are different enough from traditional infrastructure that habits learned on bare metal or virtual machines do not always transfer cleanly. Done well, container security is genuinely strong. Done badly, it produces large attack surfaces with weak boundaries.
Image Hygiene Comes First
Every container starts from an image, and every image carries the security posture of whatever it includes. Pulling images from public registries without verification, basing on outdated parents, including unnecessary packages, and storing secrets in image layers all introduce risk before the container even runs. AWS penetration testing that includes container scanning catches the obvious issues, but the deeper work involves curating an internal image registry with vetted base images and clear update policies.
Runtime Privileges Often Run Wild
Containers can run with a wide range of privileges, from heavily restricted to essentially equivalent to the host kernel. Default configurations often grant more than necessary, including capabilities such as NET_ADMIN, SYS_ADMIN, or running as root inside the container. Each excess privilege expands what an attacker who compromises the container can do. Pod security standards, Kubernetes admission controllers, and Open Policy Agent all help enforce least privilege at scale, provided the policies actually get configured.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: The container findings I report most often involve excessive privileges granted by default and never reviewed. Pods running as root, containers with the host network, hostPath volumes that mount sensitive directories. Each individual choice was probably reasonable at some point, but the cumulative effect leaves a cluster where compromising any container risks compromising the host.
Network Policies Are Often Missing
Kubernetes by default allows all pods to communicate with all other pods. Network policies provide segmentation, but they have to be defined explicitly. In many clusters, they remain unused, leaving lateral movement trivial once an attacker reaches any pod. Implementing network policies takes effort because every legitimate communication has to be expressed as a rule, but the resulting segmentation closes off most opportunistic attack paths within the cluster.
Secrets Management Needs Real Attention
Kubernetes secrets are base64 encoded, not encrypted by default. The data sits readable in etcd unless additional encryption at rest is configured. Mounting secrets as environment variables exposes them to anyone who can read process listings, which often includes more workloads than intended. External secrets management, sealed secrets patterns, and tight RBAC around secret access all reduce exposure. vulnerability scanning services that examines secrets handling specifically often surfaces credentials sitting in places nobody intended.
Cluster Components Themselves Are Targets
The Kubernetes API server, the kubelet, etcd, and the various controllers each represent attack surfaces in their own right. Anonymous authentication left enabled, kubelet API exposed without authentication, etcd reachable across the network, and admin kubeconfig files stored in unsafe places all appear in real environments. The official CIS benchmarks for Kubernetes provide a useful baseline, but production clusters benefit from configuration that goes beyond the minimum compliance bar.
Building a Sustainable Practice
Container security is not a one-off project. New images get published daily, vulnerabilities surface continuously, and clusters evolve with every deployment. Build scanning into the pipeline, runtime detection into the cluster, and periodic deeper review into the security calendar. The tools have matured significantly in the past few years. The work that remains is the discipline of applying them consistently across every environment that matters.
