Complete guide

Kubernetes Security, Explained

A structured reference for the concepts, controls, and compliance frameworks that keep Kubernetes clusters secure. Each article leads with a direct answer and then goes deep.

Foundations

What is KSPM?

KSPM (Kubernetes Security Posture Management) continuously inspects Kubernetes clusters for misconfigurations, risky permissions, and policy drift.

Read article →

What is CNAPP?

CNAPP (Cloud-Native Application Protection Platform) bundles CSPM, KSPM, vulnerability scanning, IaC scanning, and runtime security into one platform.

Read article →

KSPM vs CNAPP

KSPM inspects Kubernetes clusters specifically.

Read article →

Container security

Container security spans image hardening, supply chain integrity (SBOM, signing), runtime monitoring, and the orchestrator itself.

Read article →

Core Concepts

Kubernetes attack path analysis

Attack path analysis traces reachable chains from an entry point to a high-value target across your Kubernetes cluster.

Read article →

Kubernetes RBAC analysis

Kubernetes RBAC is a common source of cluster compromise paths.

Read article →

Blast radius analysis

Blast radius tells you what an attacker can reach if a specific resource is compromised.

Read article →

Controls

Kubernetes admission control

Admission control intercepts Kubernetes API requests before they reach etcd and can reject or mutate bad configurations.

Read article →

Runtime security for Kubernetes

Runtime security detects malicious behavior in running containers (reverse shells, crypto miners, credential access) using kernel-level eBPF hooks or audit logs.

Read article →

Kubernetes vulnerability scanning

Kubernetes vulnerability scanning finds CVEs in container images, OS packages, and language dependencies across your cluster.

Read article →

SBOMs for Kubernetes

A Software Bill of Materials (SBOM) is a signed inventory of every component, library, and dependency in a container image.

Read article →

eBPF for Kubernetes security

eBPF runs verified programs in the Linux kernel to monitor syscalls, network traffic, and process behavior with low overhead.

Read article →

Pod Security Standards

Pod Security Standards (PSS) replace PodSecurityPolicy.

Read article →

Compliance

Kubernetes compliance frameworks

A practical guide to the Kubernetes compliance frameworks teams get audited against: CIS Benchmark, NSA/CISA Hardening, Pod Security Standards, SOC 2, PCI DSS, HIPAA, ISO 27001, NIST SP 800-190.

Read article →

CIS Kubernetes Benchmark

The CIS Kubernetes Benchmark is the de-facto security checklist for clusters: around 120 controls spanning the control plane, worker nodes, and workload defaults.

Read article →

See your clusters' attack surface

Every concept on this page, applied to your real clusters in five minutes. Free tier, no credit card.

Get Started Free See Pricing