* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* How to Create Secure Kube...

# How to Create Secure Kubernetes Clusters From the Start

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcreate-secure-kubernetes-clusters%2F)  
[](https://twitter.com/share?text=How+to+Create+Secure+Kubernetes+Clusters+From+the+Start&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcreate-secure-kubernetes-clusters%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fcreate-secure-kubernetes-clusters%2F&title=How+to+Create+Secure+Kubernetes+Clusters+From+the+Start&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/create-secure-kubernetes-clusters/&ts=markdown)  
\[\](mailto:?subject=How to Create Secure Kubernetes Clusters From the Start)  
Link copied  
By [Theo Despoudis](https://www.paloaltonetworks.com/blog/author/theo-despoudis/?ts=markdown "Posts by Theo Despoudis")  
Oct 30, 2020  
6 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

If you've decided to set up and deploy a Kubernetes cluster, ensuring proper security controls and alignment with overall organization security strategy can be a daunting process.

Security should not be an afterthought, and the process is one that is vital throughout the application lifecycle. It needs to be baked in from the start during critical architectural decisions.

Bearing this in mind, what are the first steps to ensuring secure clusters? In this guide we compile a checklist of good practices and actions to perform in order to establish a secure cluster for running containerized applications.

## **A Security Checklist for Kubernetes Clusters**

When creating a new Kubernetes cluster for production environments, you should generally be guided by the following requirements, categorised by their main principles:

### **Availability**

**Ensure that the Cluster is set up for high availability:**

* **Why: To prevent single points of failure when a node fails to start or it has unexpected outages. you need to make sure that the cluster remains operational in those circumstances.**
* **When** : When assigning the master nodes, typically in the cluster-creation phase.
* **How** : When defining the nodes that act as masters, you should create at least three nodes meeting the minimum hardware requirements. You should also define at least three nodes that act exclusively as workers (and not both as master and workers). This is in case a worker node crashes; then another node can host the application workloads.

When using a managed Kubernetes cluster, the provider handles the control plane availability so you only have to assign the worker node's capacity on your part.

### **Confidentiality**

**Ensure all sensitive data are encrypted both in transit and at rest:**

* **Why: To protect sensitive information in the cluster from being exposed to unauthorized users.**
* **When** : When setting up the cluster and when joining new nodes into the cluster.
* **How** : First you need to enable encryption at rest for cluster data, as it is not enabled by default. This is done by passing a flag for the encryption configuration --encryption-provider-config with a kind: EncryptionConfig, which defines how data is encrypted in Etcd. You will also need to make sure the communication between Etcd peers and the kube-apiserver is also encrypted.

When using a managed Kubernetes service typically this is handled by the provider. However with custom clusters, you have to set this up from the beginning.

### **Integrity**

**Ensure file integrity checks at the service and application layers are in place:**

* **Why: To prevent unauthorized changes to the filesystem or other critical data of the Kubernetes cluster.**
* **When** : When running the cluster for production workloads.
* **How** : Install a [Kuberneters-specific agent](https://www.paloaltonetworks.com/prisma/environments/kubernetes) to protect the application and underlying compute resources.

When running a managed Kubernetes, you have no or limited access to the control plane, as the cloud provider handles that for you. However, you can perform security scans on the worker nodes.

### **Accountability**

**Ensure that there is a sound audit logging policy:**

* **Why:** To properly ensure that you track the series of events performed against the Kubernetes API you need to enable audit logging. You are especially looking for suspicious or unauthorized activities.
* **When:** Whenever you start the kube-apiserver server.
* **How:** You need to start the kube-apiserver binary with a --audit-policy-file flag specifying a yml file with the audit.k8s.io/v1 apiVersion header. Digital Ocean currently does not offer this kind of logging. GCloud and AWS providers have this control auditing enabled by default and you have the option to disable it. Additional charges occur depending on the kinds of activity logs enabled, though.

### **Additional Security Requirements**

**Ensure access controls are in place:**

* **Why: You need to ensure that only authorized actors can perform actions (verbs) on resources. Here actors can be real users or other machines. Verbs can be: get, list execute, update, etc. Resources can be: configmaps, deployments, volumes etc.**
* **When** : When creating the cluster and administrating new resources and actors.
* **How** : Luckily there are myriad configuration options when it comes to access controls and authorization. First create namespaces for separating logical resources, and to introduce the initial boundaries. Then [enable RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for authorization rules. Then you need to look into the general Node and Pod admission policies by reviewing the [admission controller configuration](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). For a more granular configuration you can use Pod Security Policies (K8s 1.19 only feature). When using managed Kubernetes, many of these protections are enabled by default, however, you may find that you will need to configure additional policies (for IAM Access, for example).

**Ensure that the Cluster uses the latest available Kubernetes Version:**

* **Why:** Quite often Kubernetes receives security updates and even critical updates. In order to safeguard against vulnerabilities, it's important to be on top of those updates regularly.
* **When:** Initially when creating the cluster; then subsequently, checking every quarter unless a zero-day exploit fix has been offered earlier.
* **How:** For creating custom clusters you need to select to download the latest GA version from the [release](https://kubernetes.io/docs/setup/release/notes/) pages. For managed clusters there are usually a list of predefined options when choosing the version, which may not be the latest available.

With Google Cloud you have the option to enroll in a [release channel](https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels) that has different tradeoffs between having the latest features vs having the latest stable updates. For AWS AKS, the [latest supported version](https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html) is 1.17. For Azure, [the latest is 1.18](https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions).

## **Additional Points**

That concludes our security checklist of best practices when creating Kubernetes clusters from the start. Always remember that by ensuring a secure baseline configuration in respect to the security triad policies, you can safeguard against most common infrastructure attacks. Naturally, setting up a cluster is only a starting point. Continuing to monitor and proactively reduce any attack vectors in the infrastructure deployments, can mitigate risks and prevent those that can slip through the cracks and perform damage.

*Prisma Cloud offers unmatched defense-in-depth for Kubernetes container platforms, including Red Hat OpenShift®. [Palo Alto Networks is a Red Hat OpenShift Ready Partner](https://www.paloaltonetworks.com/prisma/environments/red-hat-openshift), helping organizations across government, healthcare, financial services and the intelligence community secure their cloud native environments.*

*To learn more about how to integrate and automate continuous security methods into your entire DevOps pipeline, check out the Red Hat webinar series Modernize \& Secure Your Lifecycle with DevSecOps, where the Prisma Cloud team speaks about [DevSecOps for cloud native applications](https://www.brighttalk.com/webinar/devsecops-for-cloud-native-applications-with-prisma-cloud/).*

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud Analysis of CVE-2022-42889: Text4Shell Vulnerability](https://www2.paloaltonetworks.com/blog/cloud-security/analysis_of_cve-2022-42889_text4shell_vulnerability/)

### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### 6 Common Kubernetes and Container Attack Techniques and How to Prevent Them](https://www2.paloaltonetworks.com/blog/cloud-security/6-common-kubernetes-attacks/)

### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Zero Trust for Applications Best Practices: Securing Cloud Workloads](https://www2.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-workloads/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown)

[#### Prisma Cloud at Ignite '21: What to Know](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-cloud-ignite-21/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Securing AWS Lambda Layers with Prisma Cloud](https://www2.paloaltonetworks.com/blog/cloud-security/securing-aws-lambda-layers/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown)

[#### Open Source License Detection and Expanded Git Repo Scanning](https://www2.paloaltonetworks.com/blog/cloud-security/open-source-license-detection-expanded-git-repo-scanning/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language