So, I've been reading, reviewing and skimming a lot of Kubernetes and just general security articles and howtos, and I'm amazed at the takes. They seem to all be of the opinion that software should be in "good security" mode by default.

The only problem with that is what good security means is in the eye of the beholder. Most software is set up for "ease of use" out of the box, and this means either dialling back or completely disabling some or most security. And, while trying the software out and doing development, that might be perfect.

This should change when you are going to deploy though, and you have to evaluate what you need and how secure you want to be. I think this is where the snags come up, as people who may not be security gurus either don't do a proper evaluation or know how to implement what they are after, and create config issue or worse.

Also, Kubernetes is a tool, and a complex one at that. We shouldn't expect that tools like this will come with all of their security enabled and be locked down -- that would make them almost impossible to use out of the box. So, what we want is to tune K8s to be as secure as we need it. There are lots of things, like RBAC, Network policies, Admission controllers and more.