When adopting Kubernetes, we introduce new risks to our applications and infrastructure. The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks. In the future we hope for this to be backed by data collected from organizations varying in maturity and complexity.
2025 Top 10 Risks now available Feedback welcome. Please open issues or PRs for changes
- K01: Insecure Workload Configurations
- K02: Overly Permissive Authorization Configurations
- K03: Secrets Management Failures
- K04: Lack Of Cluster Level Policy Enforcement
- K05: Missing Network Segmentation Controls
- K06: Overly Exposed Kubernetes Components
- K07: Misconfigured And Vulnerable Cluster Components
- K08: Cluster To Cloud Lateral Movement
- K09: Broken Authentication Mechanisms
- K10: Inadequate Logging And Monitoring
- K00:2022 Welcome to the Kubernetes Security Top Ten
- K01:2022 Insecure Workload Configurations
- K02:2022 Supply Chain Vulnerabilities
- K03:2022 Overly Permissive RBAC Configurations
- K04:2022 Lack of Centralized Policy Enforcement
- K05:2022 Inadequate Logging and Monitoring
- K06:2022 Broken Authentication Mechanisms
- K07:2022 Missing Network Segmentation Controls
- K08:2022 Secrets Management Failures
- K09:2022 Misconfigured Cluster Components
- K10:2022 Outdated and Vulnerable Kubernetes Components
- Other Risks to Consider
Development of this document take place within the source repository on GitHub.
- We are actively looking for organizations and individuals that will provide Kubernetes vulnerability and misconfiguration data.
- Translation efforts
- Assisting in the development of related tools and projects
Slack: #project-k8s-top10 channel