Navigating-K8s-Security-
A person wearing a dark t-shirt and a baseball cap stands with arms crossed. The background is a plain, light-colored wall.

By Chris Lentricchia

Jul 15, 2025

Kubernetes, often called K8s, is revolutionizing how organizations deploy and manage containerized applications. Originally developed by Google and now open-source, Kubernetes has become a standard for orchestrating containers across on-premises, hybrid-cloud, and public cloud environments. But with this increased flexibility and scalability comes a new range of security challenges that require thoughtful, proactive solutions.

In its Greek origin, Kubernetes means “helmsman” or “pilot” -an apt metaphor for a platform that steers modern applications through complex infrastructure landscapes. At its core, Kubernetes is built on a cluster-level architecture divided into two planes: 

  • Control Plane: This acts as the system’s brain, handling scheduling and decision-making.
  • Data Plane: These are the worker nodes responsible for hosting and running application workloads within containers.

As Kubernetes adoption grows, so does the potential attack surface. A single Kubernetes  cluster can include dozens of applications and multiple entry points – making it an attractive target for attackers. Securing both the control and data planes at runtime is now a baseline requirement for Kubernetes environments for securing Kubernetes environments.

Kubernetes_Cluster_Diagram
A diagram of a Kubenetes cluster, along with its control and data planes

Why Kubernetes Security Demands More Than a Traditional Approach

While convenient, managed Kubernetes services such as EKS, GKE, and AKS often restrict access to the control plane. This forces organizations to depend on logs and monitoring for threat detection. Recent attacks like RBAC Buster and SCARLETEEL have exploited Kubernetes vulnerabilities, including unauthorized API access, excessive RBAC permissions, and privileged pod usage, to deploy crypto miners and escalate privileges across cloud environments.

On the data plane, vulnerable nodes can allow attackers to laterally move across clusters – compromising containers, stealing secrets, or consuming compute resources. Security blindspots often arise from traditional vulnerability scanning tools that only operate at build time.  These tools focus on shifting left but miss what’s actually running in production.

The Modern, Runtime-First Approach to Kubernetes Security

To truly secure Kubernetes, organizations must prioritize runtime scanning, intelligent threat detection, and environmental context. Security teams need to know not just what vulnerabilities exist, but where they are, whether they’re in use, and if they’re being actively targeted.

While some teams turn to sidecar containers for security observability, these introduce their own risks, like performance degradation and deployment complexity. A more effective solution lies in eBPF-based monitoring, which integrates directly with the Linux kernel to provide lightweight, detailed visibility into running processes, network traffic, system calls, and more, without burdening system resources.

How Upwind Secures Kubernetes Across Both Control and Data Planes

Securing Kubernetes requires more than just build-time checks or traditional monitoring. Upwind takes a runtime-first, context-aware approach that protects clusters in real time, across both the control plane and data plane, without adding friction to operations or performance overhead.

Full-Stack, Context-Rich Visibility

Upwind continuously maps your entire Kubernetes environment. This includes workloads, services, namespaces, and API activity. The result is a live view of what’s running, how it’s connected, and where risk exists. By combining data from Kubernetes manifests, cloud provider metadata, and runtime activity, Upwind delivers complete, contextual visibility – down to the pod level.

CleanShot-2025-07-07-at-17.15.35@2x
As the use of Artificial Intelligence grows, maintaining security is critical. Upwind provides real-time monitoring of your environment’s AI-related connections.

eBPF-Powered Runtime Monitoring

At the heart of Upwind’s Kubernetes security is its eBPF-based runtime monitoring. Without using sidecars or agents inside containers, Upwind leverages the Linux kernel to observe:

  • System calls and process behavior
  • Network traffic between services and external endpoints
  • File and API access in real time
  • Privileged or anomalous container activity

This enables Upwind to detect real threats such as crypto mining, privilege escalation, or lateral movement as they happen, not hours later via delayed log processing.

CleanShot-2025-07-07-at-17.12.59@2x-1
Leveraging real-time, granular data from eBPF, Upwind identifies that a shipping miscroservice within an AWS cluster is internet-accessible and contains Personally Identifiable Information (PII).

Control Plane Risk Insights

Even in managed services like GKE, EKS, and AKS where the control plane is abstracted, Upwind detects risky configurations, over-permissioned RBAC roles, and suspicious API activity. It continuously monitors Kubernetes audit logs and configuration states to surface threats like:

  • Unauthorized access attempts
  • Privileged pod creation
  • Token abuse or excessive permissions
  • Dangerous misconfigurations in role bindings and cluster roles

Upwind provides clear context around each alert. Upwind shows who triggered the alert, what happened and why it matters – making it easier to take action quickly, so teams can understand the cause, assess the risk, and take the right action without second-guessing.

CleanShot-2025-07-01-at-09.42.52@2x
The Upwind Platform reports on suspicious API activity in real time, providing contextualized information, risk analysis, request and response data, and remediation recommendations.

Attack Path Mapping and Real-Time Threat Detection

With live runtime insights and its cloud-native graph, Upwind maps potential attack paths across Kubernetes and cloud infrastructure. This lets teams simulate or identify lateral movement opportunities, such as:

  • Compromised pods accessing exposed secrets
  • Pods communicating with unapproved services
  • Containers escalating privileges through misconfigured IAM or RBAC

Upwind prioritizes vulnerabilities based on real-world impact, including blast radius, threat signals, and likelihood of exploitation. This reduces noises and helps teams respond faster to the risks that matter most.

Policy Enhancement Without Performance Trade-Offs

Upwind also enables policy creation without injecting sidecars or affecting application performance, allowing for lower operational overhead and safer, more flexible enforcement in production environments. Teams can define custom posture rules to block risky behavior such as allowing public ingress to internal services, running with root privileges, or exposing tokens in runtime, all based on what’s actually happening in production.

This comprehensive enables Upwind to secure Kubernetes clusters in real time, across managed and self-hosted environments, in both production and development. 

Want to learn more?

Read our whitepaper, How to Secure Kubernetes (on the) Right, for deeper strategies, real-world attack examples, and expert insights with practical steps you can apply immediately to harden your Kubernetes clusters. Additionally, if you’re ready to find out how Upwind can secure your Kubernetes environments, schedule a personalized demo with us.

Navigating Kubernetes Security: Understanding the Risks and the Right Way to Stay Secure

Further Reading

White Paper

Upwind CISO Fireside Chats: Episode 2

Jun 25, 2025

In this episode, we sit down with Jim Routh, former CISO at American Express, MassMutual, CVS, and more, for a conversation led by our CSO, Rinki Sethi. From accidentally becoming one of the industry’s first CISOs to redefining what leadership means in cybersecurity, Jim shares hard-earned insights on stakeholder management, runtime security, and the future […]

White Paper

CISO Fireside Chats Ep. 1 with Lucas Moody

May 14, 2025

Today, we are introducing Upwind’s CISO Fireside Chats, where we are joined by leading CISOs to discuss the biggest topics in cloud security and risk management. In this premier episode, we sit down with Lucas Moody, SVP & CISO at Alteryx, for an open and honest conversation with our CEO, Amiram Shachar. From navigating the evolving threat landscape […]

White Paper

CADR Webinar with James Berthoty and Joshua Burgin

Apr 03, 2025

Redefining Cloud Security with Cloud Application Detection & Response (CADR) Traditional cloud security approaches struggle to keep up with today’s evolving threats. Cloud Application Detection & Response (CADR) is changing the game—leveraging real-time insights to enhance protection and response capabilities. Join Analyst James Berthoty and Upwind CPO Joshua Burgin for an exclusive discussion on how CADR is transforming cloud security and what it means for your organization. […]

Footer-Logo-07_03_2025

Stay In Touch

This field is for validation purposes and should be left unchanged.

Product

CNAPP
CSPM
CWPP
Container Security
Identity Security
Vulnerability Management
DSPM
CADR
API Security
GenAI Security

General

About
Contact
Careers
We are hiring!
Events
Case Studies
Get A Demo

Social

X
LinkedIn
Instagram

Resources

UpwindTV
Feed
Glossary
Newsroom

Documentation

Privacy Policy
Terms of Use

© 2025 Upwind Security