Kubernetes Hardening — Practical Checklist

Here’s a compact checklist that has saved me many hours:

1. RBAC first — bind users to Roles, not cluster-admin. Namespaces for isolation.
2. Admission — Gatekeeper/OPA constraints for image registries, namespaces, and resource limits.
3. Network — Default deny; allow only needed NetworkPolicy. Split Ingress/Egress as needed.
4. Pods — Drop all capabilities; runAsNonRoot; read-only rootfs where possible.
5. Supply chain — Sign images (Cosign), pin digests, private registries.
6. Runtime — Audit logs to SIEM; Falco for suspicious syscalls.
7. Backups — etcd snapshots & Velero. Test restores.