Container Security on Kubernetes: What a DevOps Engineer Implements to Protect Production in 2026

Layer 1: Pod Security Standards (non-root containers)

Running containers as root is the single most common and most impactful Kubernetes security gap. A container running as root has the same privileges as the host root user if the container escapes its sandbox. Kubernetes Pod Security Standards (PSS) enforce non-root containers cluster-wide.

A DevOps engineer enables the Restricted Pod Security Standard on production namespaces. This prevents containers from running as root, from requesting host network or host PID access, and from using privileged mode. Most application containers work without modification under the Restricted standard. Those that do not are flagged and updated before the policy is enforced.

Layer 2: Network Policies (zero-trust pod networking)

By default, all pods in a Kubernetes cluster can communicate with all other pods. A compromised frontend pod can make direct requests to the database pod. Network Policies are Kubernetes-native firewall rules that restrict which pods can communicate with which other pods.

A DevOps engineer implements a default-deny network policy for all namespaces, then adds explicit allow rules: frontend pod can reach API pod on port 8080, API pod can reach database pod on port 5432. Nothing else is permitted by default.

Layer 3: Secrets Management (Vault or Secrets Manager)

Kubernetes Secrets store values in base64 encoding, not encryption. A developer with kubectl access can decode any Secret in the cluster. For production workloads, secrets belong in a dedicated secrets management system.

A DevOps engineer integrates either HashiCorp Vault or AWS Secrets Manager via the External Secrets Operator (ESO). ESO runs as a Kubernetes controller that reads secrets from Vault or Secrets Manager and creates Kubernetes Secrets automatically. Rotation is centrally managed. Revocation takes effect immediately.

Layer 4: RBAC (least-privilege access)

Every user, service account, and CI/CD system that interacts with the Kubernetes API has permissions defined by RBAC roles. Default service accounts have broad permissions that accumulate over time without review.

A DevOps engineer audits all RBAC bindings, implements least-privilege role definitions, removes default ClusterAdmin bindings given to CI/CD systems, and configures namespace-scoped roles for development teams. AWS IRSA or Azure Workload Identity grants pods AWS/Azure permissions without static credentials.

Layer 5: Admission Controllers (Gatekeeper or Kyverno)

Pod Security Standards cover runtime security constraints. Admission controllers enforce broader policy: approved image registries, required labels, resource limits on every pod, and rejection of pods with dangerous security configurations.

A DevOps engineer deploys either OPA Gatekeeper or Kyverno and implements: images from approved registries only, required resource requests and limits, required security context on all containers, and mandatory labels for cost attribution.

Layer 6: Image Vulnerability Scanning

A container image is built on a base image that may contain known CVEs. Running containers with unpatched CVEs is a direct compliance violation under SOC 2 and ISO 27001.

A DevOps engineer integrates image scanning into the CI/CD pipeline. Every image pushed to the registry is scanned by Trivy or AWS ECR scanning before it can be deployed. Critical and high CVEs block the deployment. A clean scan (or documented exception) is required before helm upgrade proceeds.

Layer 7: Runtime Security (Falco)

Network policies and pod security standards prevent many attacks. Falco detects attacks at runtime: a shell opened inside a container, a file read from a sensitive path, a system call that should never occur in a containerised application.

A DevOps engineer deploys Falco as a DaemonSet on every node. Falco rules fire alerts to Slack or PagerDuty when a container exhibits runtime behaviour indicating exploitation: unexpected shell execution, unexpected network connection, sensitive file read.

Layer 8: Audit Logging and Cluster-Level Logging

Kubernetes API audit logging records every action taken against the cluster API: who created or deleted what resource, when, and from where. Without audit logging, a security incident in the cluster has no forensic trail.

A DevOps engineer enables Kubernetes audit logging at the API server, ships audit logs to CloudWatch Logs or Azure Monitor, and configures log retention to satisfy the relevant compliance framework (SOC 2 typically requires 1 year). CloudTrail is configured for underlying AWS infrastructure API calls.

SOC 2 control area

Kubernetes security layer

Evidence a DevOps engineer provides

Access control (CC6.1)

RBAC + Workload Identity/IRSA

RBAC policy files in Git. Audit log showing no shared credentials. Service account permission inventory.

Logical access restrictions (CC6.2)

Network Policies

Network policy YAML files. Default-deny evidence. Ingress/egress rules documented.

Encryption in transit and at rest (CC6.7)

TLS on all services + Secrets Manager

TLS certificate configuration. Vault or Secrets Manager integration evidence.

Security monitoring (CC7.2)

Falco + Audit Logging

Falco alert history. CloudWatch audit log retention configuration.

Change management (CC8.1)

Admission Controllers + Image Scanning

Gatekeeper/Kyverno policy library. CI/CD pipeline scan results. Image registry scan history.

Vulnerability management (CC7.1)

Image Vulnerability Scanning

Trivy or ECR scan results. CVE remediation log. Critical CVE blocking policy evidence.

Minimum necessary access (CC6.3)

Pod Security Standards + RBAC

Pod security standard enforcement evidence. Least-privilege RBAC review results.

Region / hiring model

Senior DevOps (in-house)

Eastern Europe (agency)

Acquaint Softtech (India)

UK

GBP 80,000-110,000/year fully loaded

GBP 60-80/hour

$22/hour | $3,200/month

Germany / DACH

EUR 90,000-120,000/year fully loaded

EUR 70-90/hour

$22/hour | $3,200/month

Netherlands / Benelux

EUR 85,000-115,000/year fully loaded

EUR 65-85/hour

$22/hour | $3,200/month

France / Southern EU

EUR 70,000-100,000/year fully loaded

EUR 55-75/hour

$22/hour | $3,200/month

US

$130,000-180,000/year fully loaded

$80-110/hour

$22/hour | $3,200/month

Security sprint saving (8 layers, 2-3 weeks)

N/A (in-house, always on)

EST 3-4x Acquaint rate

$1,760 to $3,168 total

Security engagement scope

Cost at $22/hour

What is delivered

Security audit of existing cluster (gap assessment)

2 to 3 days: $352 to $528

Written findings report: which of the 8 layers are missing, risk rating, remediation priority order

Layers 1 to 3 (Pod Security, Network Policies, Secrets)

4 to 6 days: $704 to $1,056

Non-root containers enforced, default-deny network policies, Vault or ESO integration

Layers 4 to 6 (RBAC, Admission Controllers, Image Scanning)

4 to 7 days: $704 to $1,232

Least-privilege RBAC, Gatekeeper or Kyverno policies, Trivy CI/CD integration

Layers 7 to 8 (Falco, Audit Logging)

2 to 4 days: $352 to $704

Falco DaemonSet with alert routing, K8s API audit logging, CloudWatch retention

Full 8-layer security sprint (SOC 2 ready)

10 to 18 days: $1,760 to $3,168

Complete Kubernetes security hardening. SOC 2 control evidence prepared.

Monthly retainer (security + cluster management)

$3,200/month

Ongoing: policy updates, vulnerability monitoring, quarterly RBAC review, incident response