Human security

Kubernetes Incident Response: Developing Your Strategy

Kubernetes is the popular container orchestration platform developed by Google to manage large-scale containerized applications. Kubernetes runs microservices applications on a distributed cluster of nodes. It is highly resilient and supports scaling, rollback, zero downtime, and self-healing containers.

The main purpose of Kubernetes is to hide the complexity of monitoring a large fleet of containers. It can run on bare metal machinery in an on-premises data center as well as private or public sites. cloud platforms such as Azure, OpenShift and AWS.

Kubernetes Security is a complex business, and organizations around the world are scrambling to secure their containerized workloads. A very specific and critical aspect of Kubernetes security is Kubernetes incident response. This includes:

  • What to do when your Kubernetes cluster is under attack.
  • How to coordinate your organization’s efforts to deal with an attack.
  • How to ensure you have an effective process and the tools and data to investigate and recover from any security incident.

Kubernetes Incident Response Components

Incident Response is a structured process an organization uses to detect, manage, and recover from a cybersecurity event. The ultimate goal is to manage the incident successfully so that recovery costs, downtime and collateral damage (including business loss and brand degradation) are minimal.

To enable effective incident response, it is essential to involve individuals from all areas within an organization. Depends on climbing path, inclusion can go beyond the obvious technical and security teams to include customer support, human resources, legal, compliance and senior management.

Since many guides do not specifically include Kubernetes, an organization should consider the following organizational elements that should be part of a Kubernetes incident response process.


Responding to a Kubernetes security incident almost always requires deployment, rollback, cluster configuration change, or a combination (Read more…)