* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Kubernetes Infrastructure...

# Kubernetes Infrastructure Security

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-infrastructure-security%2F)  
[](https://twitter.com/share?text=Kubernetes+Infrastructure+Security&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-infrastructure-security%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-infrastructure-security%2F&title=Kubernetes+Infrastructure+Security&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-infrastructure-security/&ts=markdown)  
\[\](mailto:?subject=Kubernetes Infrastructure Security)  
Link copied  
By [Tsahi Duek](https://www.paloaltonetworks.com/blog/author/tsahi-duek/?ts=markdown "Posts by Tsahi Duek")  
Aug 18, 2020  
6 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Cloud infrastructure](https://www.paloaltonetworks.com/blog/tag/cloud-infrastructure/?ts=markdown)  
[Guest post](https://www.paloaltonetworks.com/blog/tag/guest-post/?ts=markdown)

Kubernetes has become the defacto standard for running container applications at scale. As in any large scale platform, security is a foundational element for a healthy, robust and stable platform.

However, while many Kubernetes users are clearly aware of the security concerns regarding their application configurations -- such as network segmentation ([network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)), secrets configuration (using one of the key management systems available), codebase/image scanning for vulnerabilities, and others-- there is another important layer of issues. That of the underlying Kubernetes infrastructure security across the main processes of CI/CD and Runtime.

## CI/CD

The continuous integration process usually gets people to think about building, verifying and managing artifacts (JARs, Gems, Binaries, Docker images, AMIs, and such) with a variety of tooling and products involved in this process. When it comes to infrastructure, the assumption is that it's already "there." However, there are several things that we should take into consideration.

### Automatic Management of Development, Staging, and Production Clusters

When managing infrastructure for your Kubernetes cluster, it's important to avoid the misconfiguration of instances connected to the cluster.

For example, developers might want to test new features in their development clusters. That means that they might want to make the cluster a little bit less secure during the development process and perhaps open some ports on the nodes, remove restricted network policies, run different AMI than the one running in production, etc. Making such configuration changes manually can accidentally affect other "higher environment" clusters.

To avoid such unintended effects, an automated and manageable way of running Kubernetes infrastructure is needed. This is where tools like [Ocean by Spot](https://spot.io/products/ocean/) kick in, taking care of all scaling activities for your Kubernetes cluster.

### Central Configuration

When managing cluster infrastructure, we need to make sure that all instances are configured properly. For example, we wouldn't want to use our staging cluster's [IAM](https://www.paloaltonetworks.com/blog/2020/02/cloud-iam-security/) role for our development cluster. Or we wouldn't want to allow traffic intended for debugging on our development cluster going to our production cluster.

This is why the central configuration is so important. That means that no one should simply "launch" an instance. All instances should be created from a single configuration. Whether this configuration resides in a CloudFormation template, Terraform file or any auto-scaling mechanism that supports blueprints, we're covered. This will ensure to avoid mixing configurations across environments.

When multiple blueprints of configurations for instances are needed in the same cluster, mechanisms such as Kops instance-groups, AWS nodegroups, GKE node-pools, or Ocean launch-specifications are the right way to go.

### Updated OS Image

By using containers, we're not free from applying updates and patches to the underlying infrastructure. That means that Kubernetes operators still need to apply those patches and update regularly. Luckily for us, cloud managed services make our lives much easier by providing up-to-date OS images for our Kubernetes clusters (whether [Amazon EKS Optimized AMI](https://docs.aws.amazon.com/eks/latest/userguide/eks-optimized-ami.html), [COS Image of GKE](https://cloud.google.com/container-optimized-os/docs), or any other cloud provider-specific instance).

However, we still need to make sure that there is a process that auto-updates the AMI. Such processes can be either creating alerts when new AMIs are available or using automated services such as:

* Ocean's [AMI-Auto-Update](https://help.spot.io/spotinst-api/ocean/ocean-cloud-api/ocean-for-ecs/create/#cluster.compute.optimizeImages) for ECS
* Kops upgrades which automatically update the AMI configuration on the instance groups managed by Kops
* AWS official eksctl tool which uses immutable upgrades for node group upgrades (creating a new nodegroup with updated AMI)

## Runtime

Security does not end when applications have been securely deployed to the cluster. We should make sure that our infrastructure is able to react to security threats on an ongoing basis. Below are some of the infrastructure security concerns that need to be addressed while running applications on Kubernetes.

### Restricted Access to Infrastructure

Access to the underlying infrastructure should be restricted and management should be fully automated to reduce human errors. With Ocean by Spot.io, all configurations and scaling activities are fully automated, making it easy for the Kubernetes administrator to restrict access to only those who absolutely need it.

### Automated Scaling

When demand increases for your application, your pods start to scale-out (usually using Kubernetes [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/)). In that case, you should have enough capacity in your cluster for those additional pods to get to a "running" state.

However, trying to manually launch additional nodes to get the needed capacity can result in misconfigured nodes due to human error. This can result in usage of old OS Images, incorrect security-group rules, instances being launched in public subnets instead of a private subnet and other potential security risks. Here too, Ocean by Spot.io can help out with properly configured, container-driven autoscaling that takes into account the requirements of all the pods that are running and that are waiting to launch.

### Reacting to Attacks

When running your infrastructure in an automated way, there is a potential risk of losing control over your infrastructure scale in case of an attack on your application. The reason for this, is that when your application is under attack, your pods will begin to scale-out to support the surge in traffic/usage, which in turn will trigger infrastructure scale-out.

To prevent this, Ocean allows you to define not only the maximum number of instances, but also cluster-wide [resource limits](https://help.spot.io/spotinst-api/ocean/ocean-cloud-api/ocean-for-aws/create-2/#cluster.autoScaler.resourceLimits) of CPU and memory. This is very useful when you have heterogeneous instances in your cluster, each with different sizes and therefore with different capacities for pods in different instances. That means that when your cluster reaches the threshold of the amount of CPU allowed in your cluster, scaling will be suspended.

### Unauthorized Instance Types

Managing heterogeneous instances for your Kubernetes cluster requires the administrator to create different blueprints for all of the instance-types/sizes that the application needs to run on. That means that while implementing autoscaling techniques on the cluster the operator still needs to limit the instances that are not allowed to run in the cluster (whether it's from a cost or performance perspective).

This can be achieved by creating ASGs that support multiple instance-types, using GKE node auto-provisioning which create and delete node pools automatically or using Ocean's [allow/deny list](https://help.spot.io/spotinst-api/ocean/ocean-cloud-api/ocean-for-aws/create-2/#cluster.compute.instanceTypes.whitelist) for instance-types. With Ocean, you can create a subset of allowed instance types for the cluster, while allowing flexibility for your developers to specify any nodeAffinity/nodeSelector for the [built-in instance-type label](https://kubernetes.io/docs/reference/kubernetes-api/labels-annotations-taints/#nodekubernetesioinstance-type) in Kubernetes. Ocean will launch the desired instance-types that satisfy the nodeAffinity/nodeSelector only if this instance type is in the allow-list.

## Summary

While security at the container level is of the utmost importance, we must pay close attention to [Kuberntese security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security) and how we're handling the underlying infrastructure of our Kubernetes cluster. Hopefully the concepts and suggestions above will go a long way in keeping your containerized environment as safe as possible.

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown)

[#### Unit 42 Cloud Research Coming Up in Vegas: Must-see talks at Black Hat, DEF CON and Cloud Village](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village-2/)

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Customer Spotlight](https://www.paloaltonetworks.com/blog/category/customer-spotlight/?ts=markdown)

[#### DEF CON Cloud Village and Black Hat USA: See New Unit 42 Cloud Research](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/prisma-cloud-def-con-black-hat-usa-cloud-village/)

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/)

### [Cloud Runtime Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-runtime-security/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Cloud Workload Protection, Now Operating at Full Context](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/beyond-cloud-workload-protection-cwp/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Vulnerability Management](https://www.paloaltonetworks.com/blog/cloud-security/category/vulnerability-management/?ts=markdown)

[#### Analyze Vulnerabilities (CVEs) with Confidence](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/vulnerability-management-intelligence-stream/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language