Container Security

Kubernetes Security Assessment for Production Clusters

A misconfigured cluster is not a vulnerability. It is an open door to every workload you run.

Sherlock Forensics provides Kubernetes and container security assessments covering RBAC review, container escape testing, secrets management, network policies, pod security standards and CI/CD pipeline security. Cloud-managed and self-hosted clusters. Over 20 years of certified security experience. Contact 604.229.1994.

Kubernetes clusters run your most critical workloads. They hold your application code, your secrets, your database credentials and your customer data. A single RBAC misconfiguration or privileged container can give an attacker full control of every pod in your cluster. Container orchestration adds layers of complexity that traditional security testing does not address. Your Kubernetes configuration is your security posture.

Order a K8s Assessment Scope Your Assessment

Scope

What We Test in a Kubernetes Assessment

01 - RBAC

RBAC Misconfiguration

We audit every Role, ClusterRole, RoleBinding and ClusterRoleBinding in your cluster. We identify overly permissive rules, wildcard permissions, default service account tokens with excessive privileges and bindings that grant cluster-admin to workloads that do not need it. RBAC misconfigurations are the most common path from a compromised pod to full cluster takeover. We map the actual permission graph and flag every escalation path.

02 - Escape

Container Escape Testing

We test whether a compromised container can break out of its isolation boundary. This includes testing for privileged containers, dangerous Linux capabilities (SYS_ADMIN, SYS_PTRACE), host namespace sharing, host path volume mounts, writable hostPath volumes, Docker socket mounts and kernel exploit paths. A successful container escape gives the attacker access to the host node and potentially every workload running on it.

03 - Secrets

Secrets Management

Kubernetes secrets are base64-encoded, not encrypted at rest by default. We check etcd encryption configuration, secret access permissions, environment variable exposure, volume mount permissions and whether secrets are accessible from pods that should not have them. We verify integration with external secret stores (Vault, AWS Secrets Manager, GCP Secret Manager) and test for secret leakage through logs, error messages and API responses.

04 - Network

Network Policies

Without network policies, every pod in a Kubernetes cluster can communicate with every other pod. We test for missing network policies, overly permissive ingress and egress rules, namespace isolation gaps and DNS-based exfiltration paths. We verify that network policies enforce the principle of least privilege at the network layer and that sensitive workloads (databases, secret stores) are properly segmented from application pods.

05 - Pod

Pod Security Standards

We evaluate pod security contexts against the Kubernetes Pod Security Standards (Privileged, Baseline, Restricted). We check for containers running as root, missing security contexts, allowPrivilegeEscalation settings, read-only root filesystems, seccomp and AppArmor profiles and resource limits. Each misconfiguration widens the attack surface if a container is compromised.

06 - CI/CD

CI/CD Pipeline Security

Your build pipeline is the supply chain for your cluster. We test pipeline access controls, image signing and verification with tools like Cosign or Notary, container registry security, build environment isolation, deployment credential storage and whether your pipeline enforces admission policies before deploying to production. A compromised pipeline means compromised production.

Supply Chain

Helm Charts and Container Image Security

Helm Chart Review
Helm charts define your deployment configuration as code. We review chart templates for hardcoded secrets, insecure default values, missing security contexts, overly permissive RBAC templates and resource definitions that violate pod security standards. Third-party Helm charts from public repositories are a common source of insecure defaults that propagate into production clusters.
Container Image Analysis
We analyze your container images for known CVEs in base images and dependencies, unnecessary packages that expand the attack surface, embedded credentials, running processes as root and missing health check definitions. We verify that your image build process produces minimal, non-root images with only the packages required to run the application.
Admission Control
We test whether your cluster enforces admission policies that prevent insecure configurations from being deployed. This includes Pod Security Admission (PSA), OPA Gatekeeper or Kyverno policies that block privileged containers, enforce image signing requirements, require resource limits and prevent host namespace access. Without admission control, a single misconfigured deployment manifest can compromise your cluster security posture.

Environments

Cloud-Managed vs Self-Hosted Kubernetes

Amazon EKS

EKS integrates Kubernetes RBAC with AWS IAM through the aws-auth ConfigMap and EKS Pod Identity. We test IAM role mappings, IRSA (IAM Roles for Service Accounts) configurations, node group security, VPC networking and EKS-specific API server access controls. Misconfigured IAM-to-RBAC mappings are a frequent finding that grants broader cluster access than intended.

Google GKE

GKE offers Autopilot and Standard modes with different security implications. We test Workload Identity configurations, GKE-specific network policies, Binary Authorization enforcement, node auto-upgrade settings and GCP IAM integration. GKE Autopilot enforces stricter pod security by default but still requires proper Workload Identity and network policy configuration.

Self-Hosted Clusters

Self-hosted Kubernetes (kubeadm, k3s, Rancher) means you manage the control plane. We test etcd encryption and access controls, API server configuration flags, kubelet authentication and authorization, controller manager and scheduler security and certificate management. Self-hosted clusters carry the full responsibility for control plane security that cloud providers handle in managed offerings.

References

Standards and Resources

NSA/CISA Kubernetes Hardening Guide

Joint guidance from the National Security Agency and CISA on securing Kubernetes clusters. Our assessments validate compliance with these recommendations.

CIS Kubernetes Benchmark

The Center for Internet Security benchmark for Kubernetes. We test cluster configuration against CIS benchmark controls for both managed and self-hosted environments.

MITRE ATT&CK for Containers

MITRE's framework for container-specific attack techniques. We map findings to MITRE ATT&CK to contextualize risks within known adversary behavior patterns.

Frequently Asked Questions

Kubernetes Security FAQs

What does a Kubernetes security assessment cover?
Cluster configuration, RBAC policies, network policies, secrets management, pod security standards, container image security, ingress and egress controls, CI/CD pipeline security and Helm chart review. We test for container escape, lateral movement and privilege escalation across both cloud-managed and self-hosted environments.
What is container escape testing?
Container escape testing verifies that a compromised container cannot break out of its isolation to access the host system or other containers. We test for privileged containers, dangerous capabilities, host namespace sharing, host path mounts and kernel exploit paths.
Do you test cloud-managed Kubernetes services like EKS, GKE and AKS?
Yes. We test Amazon EKS, Google GKE and Azure AKS configurations including cloud-specific IAM integration, managed node group security, control plane access controls and cloud-native networking. Cloud-managed clusters have different attack surfaces than self-hosted Kubernetes.
How do RBAC misconfigurations lead to cluster compromise?
Overly permissive ClusterRoles, wildcard permissions, excessive service account privileges and unscoped default tokens allow an attacker who compromises a single pod to escalate to cluster-admin. We audit every Role, ClusterRole, RoleBinding and ClusterRoleBinding and map the full escalation graph.
Should we test our CI/CD pipeline as part of a Kubernetes assessment?
Yes. The CI/CD pipeline is the supply chain for your cluster. If an attacker compromises your build pipeline, they can inject malicious code into container images deployed to production. We test pipeline access controls, image signing, registry security, build environment isolation and deployment credential management.

Related

Penetration Testing

Our full penetration testing methodology covering web applications, APIs, infrastructure and mobile platforms.

API Security Testing

API penetration testing for REST, GraphQL and gRPC covering OWASP API Top 10, OAuth/JWT and authorization testing.

SaaS Penetration Testing

Multi-tenant security testing for SaaS companies including API security, data isolation and compliance-ready reporting.

Get Started

Your cluster configuration defines your security posture.

Kubernetes security assessment covering RBAC, container escape, network policies and CI/CD pipeline review.

Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified
Order Online

Scope Your Kubernetes Assessment

Tell us about your cluster architecture, cloud provider, workload count and compliance requirements. We will scope an assessment for your specific environment.

Call 604.229.1994
Phone
604.229.1994
Burnaby Office
Burnaby, BC, Canada
Coquitlam Office
Coquitlam, BC, Canada