Interview › Kubernetes, Docker, Helm & Podman
How would you harden a Kubernetes cluster (Pod Security Standards, RBAC, network policies, image policy)?
Kubernetes, Docker, Helm & Podman · Advanced level
Answer
I harden a Kubernetes cluster in layers: identity and RBAC, namespace isolation, Pod Security Standards, NetworkPolicies, image provenance, secrets encryption, admission control, audit logging, node hardening, patching, and continuous compliance checks. The goal is least privilege and reduced blast radius without blocking delivery.
Technical explanation
Hardening is defense in depth; no single control such as RBAC or Pod Security Standards is enough alone.
Start in audit/warn modes where possible, measure breakage, then move to enforce with documented exceptions.
Hardening should be layered: authentication, authorization, admission, workload security, network segmentation, secret protection, image trust, audit, and runtime monitoring.
Use audit and warn modes to discover breakage before enforcing new policies in shared clusters.
Document exceptions with ownership, expiry, compensating controls, and evidence.
Hands-on example
1. Create a non-production namespace or cluster baseline for this exercise: create a hardened namespace baseline with PSS, RBAC, NetworkPolicy, image controls, and audit checks.
2. Apply controls in layers: RBAC, ServiceAccounts, Pod Security labels, NetworkPolicy, resources, probes, image policy, secret handling, and audit logging.
3. Run negative tests such as privileged Pod rejection, denied API access, blocked network flow, unsigned image rejection, or secret read denial.
4. Move from audit/warn to enforce only after measuring impact, documenting exceptions, and wiring alerts to owners.
Source Note for Current Kubernetes Items
Most answers are based on stable Kubernetes, Docker/OCI, Podman, and Helm concepts. For the current-feature and hardening items, validate against the exact cluster version and vendor distribution before using in a real interview or implementation.
Kubernetes v1.34 release blog: https://kubernetes.io/blog/2025/08/27/kubernetes-v1-34-release/
Kubernetes Pod-level resources v1.34 blog: https://kubernetes.io/blog/2025/09/22/kubernetes-v1-34-pod-level-resources/
Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Kubernetes RBAC documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Kubernetes NetworkPolicy documentation: https://kubernetes.io/docs/concepts/services-networking/network-policies/
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Kubernetes, Docker, Helm & Podman interview questions
- What is Kubernetes, and what problem does it solve over running containers manually?
- Explain the Kubernetes control plane components (API server, etcd, scheduler, controller manager).
- What runs on a worker node (kubelet, kube-proxy, container runtime)?
- What is a Pod, and why does Kubernetes schedule Pods rather than containers?
- What is the difference between a Pod, a ReplicaSet, and a Deployment?
- How does a Deployment perform a rolling update, and how do maxSurge and maxUnavailable work?
- How do you roll back a Deployment, and how does Kubernetes track revisions?
- What is a Service, and what are the types (ClusterIP, NodePort, LoadBalancer, ExternalName)?