Skip to content

Kubernetes Workload Security

Production-oriented workloads run as non-root, disable privilege escalation, drop unnecessary capabilities, and use read-only root filesystems where compatible. Privileged containers, host networking, host PID/IPC, and hostPath mounts require explicit security approval.

Every workload defines resource requests. Production workloads define limits after observing realistic behavior. Readiness probes protect traffic; liveness probes are used only when they can distinguish a process that needs restart from temporary dependency failure. Startup probes protect slow initialisation.

Images come from approved registries and avoid latest in declared production state. Service accounts are dedicated and least-privileged. Secrets are provided through approved external-secret mechanisms rather than plain Git values.