← Back to main site
← Services

Kubernetes Security Review

Security review of Kubernetes clusters and workloads: RBAC, secrets management, network policies, and image hygiene. For platform and engineering teams running production workloads who need to reduce container and cluster risk without slowing delivery.

Pricing: €3,000 – €9,000

Service overview

  • Security review of Kubernetes clusters and workloads: RBAC, secrets, network policies, and image supply chain.
  • For platform and engineering teams running production containerised workloads (on-prem or cloud).
  • Solves: overprivileged workloads, plaintext secrets, missing segmentation, and lack of visibility into cluster and workload risk.

Typical security risks discovered

  • Overly permissive RBAC: cluster-admin or wildcard roles for workloads; missing namespace or resource limits.
  • Secrets in plaintext: environment variables, ConfigMaps, or mounted volumes containing credentials.
  • Privileged or host-path workloads: containers running as root or with host access increasing blast radius.
  • Missing network segmentation: no NetworkPolicies; all pods can reach each other and often external services.
  • Image and supply chain: base images with known CVEs; no image signing or admission control.
  • Insufficient logging and runtime visibility: no audit logging, no detection of suspicious pod or exec activity.

Assessment scope

  • Cluster configuration: API server, etcd, kubelet and control plane hardening; admission controllers.
  • RBAC and service accounts: principle of least privilege, namespace-scoped roles, audit of cluster-admin usage.
  • Secrets management: use of Secrets, external stores (e.g. Vault), avoidance of plaintext in manifests.
  • Workload security: non-root, read-only filesystem, dropped capabilities, resource limits; Pod Security Standards.
  • Network policies: segmentation between namespaces and workloads; egress control where required.
  • Images and supply chain: base image choice, vulnerability scanning, signing, and admission (e.g. OPA).

Deliverables

  • Cluster and workload security report with findings and risk ratings.
  • RBAC and policy review with concrete recommendations and example manifests.
  • Secrets and configuration findings with remediation (e.g. external secrets operator, least privilege).
  • Prioritised remediation plan and, where useful, example policies or constraints.
  • Optional re-test after changes.

Expected outcomes

  • Clear view of cluster and workload risks (RBAC, secrets, network, images) with prioritised remediation.
  • Hardened RBAC and secrets handling; reduced risk of credential theft or lateral movement.
  • Alignment with Kubernetes security benchmarks (e.g. CIS Kubernetes) and container best practices.
  • Optional re-test to confirm critical and high issues are addressed.
Request a consultation

Support my work

If my articles, case studies, or security resources helped you, you can support my work. Your support helps me maintain free content and keep publishing practical security guides.

Revolut

Quick support in seconds.

Buy me a spritz

Bank transfer (EUR)

If you prefer a traditional bank transfer, request IBAN and bank details via the contact form

Request bank details

Support is optional. For consulting or security work, please use the Services or Contact pages.