Kubernetes Security
Kubernetes is powerful and complex. One misconfigured RBAC binding or privileged pod is often all it takes to own a cluster.
What we review
RBAC audit — ClusterAdmin bindings, service account privileges, impersonation paths
Pod security — privileged containers, host namespace access, volume mounts
Network policies — missing deny-all defaults, unrestricted pod-to-pod traffic
Admission control — webhook trust, OPA/Kyverno policy coverage
Supply chain — image provenance, registry access, runtime enforcement
Secrets management — plaintext secrets in manifests, etcd encryption at rest
Workload identity — IRSA, Workload Identity, service account token projection
Cluster API access — unauthenticated endpoints, anonymous access, audit logging
Distributions & platforms we work with
Engagement Models
Architecture Review
1–2 weeksWe review your current architecture, identify systemic risks, and deliver a prioritized findings report with remediation guidance.
Project Engagement
2–6 weeksScoped engagement targeting a specific system, migration, or launch. Includes technical review, active testing, and a final debrief.
Security Retainer
OngoingOn-call security expertise. We review PRs, consult on new designs, respond to incidents, and run quarterly health checks.