Kubernetes Security Audit
Evaluate the security posture of your container orchestration platform across cluster configuration, RBAC governance and container isolation.
What is a Kubernetes Security Audit?
A Kubernetes Security Audit evaluates the security posture of your container orchestration platform across three complementary dimensions: cluster configuration against the CIS Kubernetes Benchmark, RBAC permissions and identity governance, and container isolation through 8 layers of defence in depth.
CIS Benchmark — CIS Kubernetes Benchmark v1.9
130 controls across 5 sections: control plane components (API server, scheduler, controller-manager), etcd security, control plane configuration, worker nodes (kubelet, file permissions), and policies (RBAC, Pod Security Standards, NetworkPolicies, Service Accounts).
RBAC Audit — Role-Based Access Control
Deep analysis of Kubernetes permissions and identities: Service Accounts, ClusterRoles with wildcard usage, cluster-admin role attribution, platform token traceability, impersonation mechanisms, and detection of orphaned users with revocation of obsolete access.
Container Isolation — 8 Layers of Defence in Depth
Linux Namespaces, cgroups, Seccomp syscall filtering, Linux Capabilities, AppArmor/SELinux, Pod Security Admission (PSA), Runtime Application Self-Protection (RASP), and User Namespaces for UID/GID remapping.
We go beyond surface-level scanning — we analyse control plane hardening, test container escape mitigations, audit service account privileges and validate network segmentation. The resulting report delivers a scored maturity assessment and a prioritised hardening roadmap.
CIS Benchmark controls evaluated
container isolation layers tested
structured audit phases
How do we proceed?
The engagement combines document analysis, deep technical review and active security testing, structured in four phases.
Discovery & Inventory
Exhaustive cartography of the Kubernetes ecosystem: cluster topology, namespaces, workloads, GitHub repositories, GitOps CI/CD workflows (FluxCD, ArgoCD), RBAC configurations and network architecture. We review deployment manifests, Helm charts and infrastructure-as-code templates.
In-depth Analysis across Three Referentials
CIS Kubernetes Benchmark v1.9 (130 controls across 5 sections), RBAC audit covering Service Accounts, ClusterRoles and cluster-admin usage, and container isolation testing across all 8 defence layers. Manual review complements automated scanning.
Scoring & Recommendations
Kubernetes security maturity score mapped to CIS Benchmark controls. Each finding rated by severity (Critical, High, Medium, Low) with specific remediation actions, configuration snippets and effort estimates.
Restitution
Presentation of findings to infrastructure and security teams, walkthrough of remediation priorities, and delivery of the final report. All cluster access and client data revoked and destroyed at engagement close.
Prerequisites
Read-only access to Kubernetes clusters, access to CI/CD tools and GitOps repositories, cluster architecture documentation, a list of critical workloads and their data sensitivity, and a designated Kubernetes/DevOps engineer for interviews.
Public administration
Comprehensive Kubernetes security audit for NIS2 and ANSSI compliance
A public administration migrating critical services to a Kubernetes-based cloud infrastructure needed assurance that its container orchestration met ANSSI and NIS2 requirements.
Tomeris conducted a comprehensive Kubernetes security audit evaluating the cluster against all three referentials: 130 CIS Benchmark controls, a full RBAC permissions audit, and container isolation testing across all 8 defence layers.
The audit revealed overly permissive service accounts with wildcard ClusterRoles, missing network policies allowing unrestricted pod-to-pod communication, containers running without Seccomp profiles, and absent Pod Security Admission enforcement.
The final report delivered prioritised remediation steps, all achievable through configuration hardening without re-architecting the platform. The client subsequently engaged Tomeris on a retainer to guide implementation and validate fixes.
Results
Ready to secure your Kubernetes clusters?
Request a Kubernetes Security Audit and get a comprehensive assessment of your cluster configuration, RBAC governance and container isolation with a prioritised hardening roadmap.