Here is a comprehensive AKS security best practices guide, organized by layer.Here’s a summary of the seven security layers covered in the guide above:

---

Identity & Access is the primary perimeter. The recommended best practice is to use groups to provide access rather than individual identities — use a Microsoft Entra ID group membership to bind users to Kubernetes roles rather than individual users. As a user’s group membership changes, their access permissions on the AKS cluster change accordingly. For workloads, use Microsoft Entra Workload ID so pods authenticate to Azure services with short-lived OIDC tokens instead of any stored credentials.

Cluster hardening centres on keeping the API server off the public internet. To keep from exposing the Kubernetes API to the internet, set up a private AKS cluster where the control plane uses an internal IP address instead — traffic between the API server and AKS node pools stays within a private VNet. Combine this with auto-upgrade channels to stay current on Kubernetes versions and node images.

Network security requires Azure CNI to enable NetworkPolicies, a default-deny stance per namespace, and Azure Firewall or NAT Gateway for egress control. To limit network traffic between pods, AKS offers support for Kubernetes network policies, allowing or denying specific network paths within the cluster based on namespaces and label selectors.

Workload security means running every container as non-root with dropped capabilities and a read-only root filesystem. Your applications should be designed for the principle of least number of privileges required. allowPrivilegeEscalation defines if the pod can assume root privileges — design your applications so this setting is always set to false.

Secrets management means using the Key Vault Secrets Store CSI Driver. The Azure Key Vault provider for Secrets Store CSI Driver allows integration of an Azure Key Vault as a secret store with an AKS cluster via a CSI volume — it mounts secrets, keys, and certificates to a pod using a CSI volume and supports autorotation of mounted contents.

Image security requires scanning in CI, enforcing image policies at admission, and using minimal base images pinned to digests rather than tags.

Monitoring ties everything together. Ensure you have an audit trail for the Kubernetes control plane by enabling audit logs for kube-apiserver and kube-controller-manager. Pair with Microsoft Defender for Containers for runtime threat detection and Azure Policy for continuous compliance.