Cluster and application security

Familiarize yourself with Kubernetes security essentials and review the secure setup for clusters and application security guidance. Kubernetes security is important throughout the container lifecycle because of the distributed, dynamic nature of a Kubernetes cluster. Applications are only as secure as the weakest link in the chain of services that comprise the application's security.

Plan, train, and proof

As you get started, the security essentials checklist and Kubernetes security resources below will help you plan for cluster operations and application security. By the end of this section, you'll be able to answer these questions:

  • Have you reviewed the security and threat model of Kubernetes clusters?
  • Is your cluster enabled for Kubernetes role-based access control?

Security checklist:

Deploy to production and apply Kubernetes security best practices

As you prepare the application for production, implement a minimum set of best practices. Use this checklist at this stage. By the end of this section, you'll be able to answer these questions:

  • Have you set up network security rules for ingress, egress, and intra-pod communication?
  • Is your cluster set up to automatically apply node security updates?
  • Are you running a security scanning solution for your cluster and container services?

Security checklist:

Optimize and scale

Now that the application is in production, how can you optimize your workflow and prepare your application and team to scale? Use the optimization and scaling checklist to prepare. By the end of this section, you'll be able to answer this question:

  • Can you enforce governance and cluster policies at scale?

Security checklist:

  • Enforce cluster governance policies. Apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. To learn more, see Control deployments with Azure Policy.

  • Rotate cluster certificates periodically. Kubernetes uses certificates for authentication with many of its components. You might want to periodically rotate those certificates for security or policy reasons. To learn more, see Rotate certificates in Azure Kubernetes Service (AKS).