RectifyCloud
Back to Blog
Product

Kubernetes Security Misconfigurations That Create SOC 2 Audit Findings

Learn how to fix Kubernetes security misconfigurations that trigger SOC 2 audit findings, including root containers, service accounts, and network policies.

April 29, 202612 min read

Introduction

As organizations transition from traditional virtual machine-based architectures to containerized environments, Kubernetes has become the de facto operating system of the cloud. For senior engineers and tech leads, this shift represents a massive leap in scalability and deployment velocity. However, from a compliance and security perspective, Kubernetes introduces a sprawling surface area of configuration complexities that often slip through the cracks of traditional security audits.

When preparing for a SOC 2 (System and Organization Controls 2) audit, many teams focus heavily on cloud-level identity and access management (IAM), encryption at rest in S3 buckets, and VPC-level firewalls. While these are critical components of cloud infrastructure security, auditors are increasingly turning their gaze inward toward the container orchestration layer. They are no longer satisfied with seeing a "secure" AWS or Azure perimeter; they want to see how the internal "east-west" traffic, pod-to-pod communication, and administrative access within the Kubernetes cluster are governed.

The challenge is that Kubernetes is "insecure by default" in several key areas to facilitate ease of use and developer onboarding. During the fast-paced "move fast and break things" phase of a startup or a new product launch, these defaults are rarely hardened. This leads to a significant gap during the SOC 2 observation period—the window of time where an auditor monitors your environment to ensure controls are functioning consistently. A single misconfiguration, such as a container running with unnecessary root privileges or an over-privileged service account, can result in a qualified report or a failed audit finding.

In this guide, we will explore the most critical Kubernetes security misconfigurations that trigger SOC 2 audit findings, map them to specific Trust Services Criteria (TSC), and provide technical remediation strategies to ensure your cluster is audit-ready.

The SOC 2 Framework and Kubernetes

SOC 2 is based on the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. For most engineering teams, the "Security" criteria (Common Criteria or CC series) are the most relevant when configuring Kubernetes.

Specifically, auditors look for evidence supporting:

  • CC6.1: Logical access security over software, data, and infrastructure.
  • CC6.6: Boundary protection (firewalls, network segmentation).
  • CC6.7: Detection and prevention of unauthorized or malicious software.
  • CC7.1 & CC7.2: Monitoring and evaluation of system vulnerabilities and anomalies.

Kubernetes misconfigurations directly impact these controls. If an auditor discovers that any pod in your cluster can talk to any other pod without restriction, you have failed CC6.6. If they find that developers are using a shared cluster-admin credential, you have failed CC6.1. Understanding this mapping is the first step toward building a compliant infrastructure.

1. Overprivileged Service Accounts and RBAC Failures

Role-Based Access Control (RBAC) is the heartbeat of Kubernetes security, yet it is frequently the most misconfigured component. In a rush to get an application running, it is common to see developers assign the cluster-admin role to a service account or, worse, leave the default service account with broad permissions.

The SOC 2 Risk (CC6.1)

SOC 2 requires the "Principle of Least Privilege." If a microservice only needs to read secrets from its own namespace but is granted permission to list all pods across the entire cluster, you have a logical access violation. If that pod is compromised, the attacker can move laterally across the entire infrastructure.

The Misconfiguration

A common mistake is binding a ServiceAccount to a ClusterRole when a Role (limited to a namespace) would suffice.

# AVOID THIS: Overprivileged ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: app-manager-binding
subjects:
- kind: ServiceAccount
  name: my-app-sa
  namespace: production
roleRef:
  kind: ClusterRole
  name: cluster-admin # High-risk finding: provides full control over the entire cluster
  apiGroup: rbac.authorization.k8s.io

The Fix

Audit your RBAC regularly using tools like kubectl-who-can or rbac-lookup. Ensure that every ServiceAccount has a specific Role tailored to its needs.

# PREFERRED: Scoped Role and RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: production
subjects:
- kind: ServiceAccount
  name: my-app-sa
  namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

2. Containers Running as Root and Privileged Escalation

By default, Kubernetes does not prevent containers from running as the root user. This is a significant security risk because if a container is compromised, the attacker may gain root-level access to the underlying host node.

The SOC 2 Risk (CC6.7)

Auditors look for "system hardening" and "prevention of unauthorized access." Running as root violates the hardening guidelines established by CIS (Center for Internet Security) Benchmarks, which are often used as the baseline for SOC 2 compliance.

The Misconfiguration

Leaving the securityContext blank or explicitly setting privileged: true allows the container to access host resources, such as the Docker socket or the host's network stack.

# AVOID THIS: Privileged container
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      privileged: true # This allows the pod to do almost anything the host can do
      allowPrivilegeEscalation: true

The Fix

Implement a securityContext at both the Pod and Container level. Force the container to run as a non-root user and drop all unnecessary Linux capabilities.

# PREFERRED: Hardened SecurityContext
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: nginx
    image: nginx:stable-alpine
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - ALL
      readOnlyRootFilesystem: true

3. Missing Network Policies (Flat Network Architecture)

In a default Kubernetes installation, any pod can communicate with any other pod, even across different namespaces. This "flat network" is a nightmare for SOC 2 auditors.

The SOC 2 Risk (CC6.6)

CC6.6 focuses on boundary protection and segmentation. If your "Payment Processing" namespace can receive traffic from your "Dev-Testing" namespace, your network segmentation is non-existent. Auditors will ask for evidence that production data is isolated from non-production environments and that microservices are restricted to necessary communication only.

The Misconfiguration

Relying on the default behavior of the CNI (Container Network Interface) without defining NetworkPolicy objects. This allows a vulnerability in a public-facing web server to be used as a jumping-off point to attack an internal database or an internal API.

The Fix

Adopt a "default-deny" posture for all ingress and egress traffic, then explicitly allow required connections.

# PREFERRED: Default Deny All Traffic Policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

After applying the default deny, you can then add specific policies that allow your frontend to talk to your backend on a specific port.

4. Publicly Exposed Dashboards and API Servers

While it seems obvious, many teams accidentally expose the Kubernetes Dashboard or the API server to the public internet without proper authentication or IP whitelisting.

The SOC 2 Risk (CC6.1)

This is a direct violation of logical access controls. An exposed dashboard often provides a "god-view" of the cluster and, in older versions, allowed unauthenticated users to perform administrative actions.

The Misconfiguration

Using a Service of type LoadBalancer for the Kubernetes Dashboard or failing to restrict the API server's CIDR ranges at the cloud provider level.

Key Points for Remediation:

  • Disable the Dashboard: If you don't absolutely need the web UI, delete it. Most administrative tasks should be done via kubectl or a GitOps pipeline.
  • Private API Endpoints: Ensure your Kubernetes API server is not accessible from the public internet. Use AWS PrivateLink, Azure Private Link, or VPC peering.
  • OIDC Integration: Integrate Kubernetes with your corporate Identity Provider (Okta, Google, Azure AD) so that access is tied to individual identities rather than shared certificates.

5. Secrets Management and Base64 "Encryption"

Kubernetes Secrets are, by default, stored unencrypted in etcd. They are merely Base64 encoded. Anyone with access to the API or the etcd database can easily decode them.

The SOC 2 Risk (CC6.1)

SOC 2 requires that sensitive data (passwords, API keys, certificates) be protected using strong encryption. Storing them in plain text (or Base64) does not meet this requirement.

The Misconfiguration

Storing secrets directly in the cluster without enabling "Encryption at Rest" for the etcd layer or using a dedicated Secrets Manager.

The Fix

There are two primary ways to satisfy an auditor here:

  1. KMS Integration: Enable the Kubernetes KMS (Key Management Service) provider to encrypt secrets in etcd using keys managed by AWS KMS, HashiCorp Vault, or Azure Key Vault.
  2. External Secrets: Use the "External Secrets Operator" or "Secrets Store CSI Driver" to pull secrets directly from a managed vault into the pod at runtime, ensuring the secret never lives permanently in the K8s API.

6. Disabled Audit Logging and Lack of Observability

If an incident occurs, how do you know who did what and when? SOC 2 CC7.2 requires organizations to monitor their systems for anomalies and maintain logs for forensic analysis.

The SOC 2 Risk (CC7.2)

If your Kubernetes audit logs are not being captured, you have no trail of administrative actions. An auditor will ask to see logs showing when a specific pod was deleted or when a RoleBinding was changed. If you can't produce these logs, you lack the "monitoring and evaluation" control.

The Misconfiguration

Many managed Kubernetes services (like EKS or GKE) have audit logging disabled by default or have very short retention periods.

The Fix

Ensure that Audit Logs are enabled and forwarded to a centralized, immutable logging platform (like CloudWatch, ELK, or Datadog).

  • Log Level: Use the Metadata or RequestResponse level for sensitive operations.
  • Retention: SOC 2 usually requires at least 90 days of logs to be searchable, with longer-term archival for compliance.
  • Alerting: Set up alerts for high-risk events, such as the creation of a cluster-admin role or repeated failed authentication attempts.

Why These Misconfigurations Happen During Fast-Moving Deployments

In a high-growth environment, the pressure to deliver features often outweighs the focus on infrastructure hardening. Several factors contribute to the persistence of these misconfigurations:

  • Lack of Specialized Knowledge: Many DevOps engineers are proficient in Docker and CI/CD but may not be deeply versed in the nuances of Kubernetes RBAC or NetworkPolicies.
  • Velocity Over Security: Implementing a "default-deny" network policy often breaks existing applications, leading teams to postpone security tasks in favor of uptime and feature parity.
  • Shadow IT: Developers spinning up their own clusters in development or staging environments that eventually become "production-lite" without going through a formal security review.
  • Tooling Gaps: Standard cloud security posture management (CSPM) tools often stop at the cloud provider API. They can tell you if an S3 bucket is public, but they can't tell you if a Kubernetes pod is running with allowPrivilegeEscalation: true.

To bridge this gap, organizations must integrate Kubernetes-specific scanning into their CI/CD pipelines. This ensures that security is a "gate" rather than an afterthought.

How to Audit and Fix Your Posture Before the Observation Period

The best way to prepare for a SOC 2 audit is to perform a self-audit using the same tools and frameworks that an auditor would use. Follow these steps to ensure your Kubernetes environment is resilient:

Step 1: Automated Scanning

Use open-source and commercial tools to identify misconfigurations.

  • Kubescape: Scans clusters against the NSA-CISA hardening framework and MITRE ATT&CK.
  • Checkov / Terrascan: Scans your Infrastructure-as-Code (Terraform, Helm charts) before it is even deployed.
  • Popeye: A utility that scans live Kubernetes clusters and reports on potential issues with resources and configurations.

Step 2: Implement Admission Controllers

Don't just detect misconfigurations—prevent them. Use an Admission Controller like Kyverno or OPA Gatekeeper. These tools can enforce policies, such as "No container can run as root" or "All pods must have a specific label for cost tracking."

Example Kyverno policy to disallow privileged containers:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-privileged-containers
spec:
  validationFailureAction: enforce
  background: true
  rules:
  - name: privileged-containers
    match:
      resources:
        kinds:
        - Pod
    validate:
      message: "Privileged containers are not allowed."
      pattern:
        spec:
          containers:
          - securityContext:
              privileged: false

Step 3: Formalize the Review Process

SOC 2 is as much about process as it is about technology. Ensure that:

  • All changes to Kubernetes manifests are reviewed via Pull Requests.
  • RBAC changes require approval from a security lead.
  • You conduct quarterly access reviews of who has cluster-admin access.

Step 4: Validate Logging and Monitoring

Perform a "fire drill." Attempt to perform an unauthorized action in a staging cluster (e.g., trying to access a secret you shouldn't have access to) and verify that your logging system captured the event and triggered an alert. This evidence is gold for SOC 2 auditors.

Conclusion

Kubernetes provides incredible power, but with that power comes a complex responsibility to secure the internal workings of the cluster. SOC 2 auditors are becoming increasingly sophisticated, and they will look beyond the cloud perimeter to see how you are managing your containerized workloads.

By addressing the "big five" misconfigurations—RBAC, root containers, network policies, secrets management, and audit logging—you not only ensure a smoother SOC 2 audit but also significantly harden your infrastructure against real-world attacks. Remember that cloud infrastructure security is a continuous process, not a one-time event. As your cluster grows and evolves, so must your security posture.

Start by implementing a "default-deny" philosophy in your network and RBAC configurations. Use Policy-as-Code to automate enforcement, and maintain clear, immutable logs of all administrative actions. When the auditor asks for evidence of your controls during the observation period, you won't be scrambling for answers—you'll be providing a clean, compliant, and secure environment that reflects the technical excellence of your team.

This content was generated by AI.