[](https://www.paloaltonetworks.com/?ts=markdown)

* Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)
  ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [](https://www.paloaltonetworks.com/?ts=markdown)

* Products  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products  
  [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)
  
  * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)
  
  * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  
  * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)
  
  * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)
  
  * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  
  * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)
  
  * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)
  
  * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  
  * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)
  
  * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)
  
  * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)
  
  * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)
  
  * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)
  
  * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  
  * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)
  
  * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)
  
  * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)
  
  * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)
  
  * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)
  
  * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)
  
  * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)
  
  * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)
  
  * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)
  
  * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)  
    [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)
  
  * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)
  
  * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)
  
  * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)
  
  * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)
  
  * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)
  
  * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown)
  
  * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)
  
  * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown)
  
  * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)
  
  * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown)
  
  * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  
  * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* Solutions  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions  
  Secure AI by Design
  
  * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)  
    Network Security
  * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown)
  * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown)
  * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown)
  * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown)
  * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown)
  * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown)
  * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown)
  * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)  
    Cloud Security
  * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown)
  * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown)
  * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown)
  * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown)
  * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown)
  * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown)
  * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown)
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown)
  * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown)  
    Security Operations
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown)
  * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown)
  * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown)
  * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown)
  * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown)
  * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown)
  * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown)
  * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown)
  * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown)
  * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown)  
    Endpoint Security
  * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown)
  * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown)
  * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown)
  * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown)  
    [Industries](https://www.paloaltonetworks.com/industry?ts=markdown)
  * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown)
  * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown)
  * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown)
  * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown)
  * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown)

* Services  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services  
  [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)
  
  * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)
  
  * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown)
  
  * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown)
  
  * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown)
  
  * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown)
  
  * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown)
  
  * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown)
  
  * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown)
  
  * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown)
  
  * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown)
  
  * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown)
  
  * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown)
  
  * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown)
  
  * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown)
  
  * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)
  
  * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown)
  
  * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown)
  
  * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown)
  
  * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown)
  
  * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown)
  
  * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)
  
  * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown)
  
  * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown)
  
  * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown)
  
  * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown)  
    [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown)
  
  * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown)
  
  * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown)
  
  * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown)
  
  * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown)
  
  * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown)  
    [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg)  
    UNIT 42 RETAINER
    Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial.
    Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)

* Partners  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners  
  NextWave Partners
  
  * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown)
  * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown)
  * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown)
  * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown)
  * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown)
  * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown)
  * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown)
  * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown)  
    Take Action
  * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown)
  * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown)
  * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner)
  * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess)
  * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator)  
    [CYBERFORCE
    CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise.
    Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown)

* Company  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company  
  Palo Alto Networks
  
  * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
  * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown)
  * [Investor Relations](https://investors.paloaltonetworks.com)
  * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
  * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown)
  * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
  * [Military \& Veterans](https://jobs.paloaltonetworks.com/military)  
    [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown)
  * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown)
  * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown)
  * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown)
  * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown)
  * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown)
  * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
  * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown)  
    Careers
  * [Overview](https://jobs.paloaltonetworks.com/)
  * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/)  
    [A Newsweek Most Loved Workplace
    "Businesses that do right by their employees"
    Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown)

* More  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More  
  Resources
  
  * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
  * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/)
  * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
  * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
  * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
  * [Tech Insider](https://techinsider.paloaltonetworks.com/)
  * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/)
  * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/)
  * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown)
  * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown)
  * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown)
  * [Tech Docs](https://docs.paloaltonetworks.com/)
  * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown)
  * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/)
  * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown)  
    Connect
  * [LIVE community](https://live.paloaltonetworks.com/)
  * [Events](https://events.paloaltonetworks.com/)
  * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown)
  * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown)
  * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)  
    [Blog
    Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity
    Learn more](https://www.paloaltonetworks.com/blog/)

* Sign In  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)

* [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown)  
  Search  
  All

* [Tech Docs](https://docs.paloaltonetworks.com/search)  
  Close search modal
  [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com)  
  [](https://www.paloaltonetworks.com/?ts=markdown)

1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown)
3. [Container Security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown)
4. [What Is Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security?ts=markdown)  
   Table of Contents

* [What Is Container Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown)
  * [Container Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#container-security?ts=markdown)
  * [Understanding the Attack Surface](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#attack-surface?ts=markdown)
  * [How to Secure Containers](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#secure-containers?ts=markdown)
  * [Container Security Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#solutions?ts=markdown)
  * [Container Security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#faq?ts=markdown)
* [Managing Permissions with Kubernetes RBAC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown)
  * [Kubernetes RBAC Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#kubernetes?ts=markdown)
  * [Why Is RBAC Important for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#important?ts=markdown)
  * [RBAC Roles and Permissions in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#roles?ts=markdown)
  * [How Kubernetes RBAC Works](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#how?ts=markdown)
  * [The Role of RBAC in Kubernetes Authorization](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#authorization?ts=markdown)
  * [Common RBAC Permissions Risks and Vulnerabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#common?ts=markdown)
  * [Kubernetes RBAC Best Practices and Recommendations](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#best?ts=markdown)
  * [Kubernetes and RBAC FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#faqs?ts=markdown)
* [Kubernetes: How to Implement AI-Powered Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security?ts=markdown)
  * [Common Threats to Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#common?ts=markdown)
  * [How Is AI Used to Enhance Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#how?ts=markdown)
  * [How Do You Implement AI-Powered Security in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#do?ts=markdown)
  * [What Are the Best Types of AI-Powered Tools for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#what?ts=markdown)
  * [Kubernetes and AI-Powered Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#faqs?ts=markdown)
* [What Is Container Runtime Security?](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown)
  * [Container Runtime Security for Modern Applications](https://www.paloaltonetworks.com/cyberpedia/runtime-security#runtime-security?ts=markdown)
  * [Models and Rules: Understanding Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#models?ts=markdown)
  * [Components of Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#components?ts=markdown)
  * [Best Practices for Optimal Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#best-practices?ts=markdown)
  * [At-a Glance Runtime Security Checklist](https://www.paloaltonetworks.com/cyberpedia/runtime-security#checklist?ts=markdown)
  * [Runtime Security FAQs](https://www.paloaltonetworks.com/cyberpedia/runtime-security#faq?ts=markdown)
* What Is Kubernetes Security?
  * [Kubernetes Security Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#kubernetes?ts=markdown)
  * [The Importance of Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#importance?ts=markdown)
  * [Application Security in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#application?ts=markdown)
  * [7 Common Kubernetes Security Mistakes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#mistakes?ts=markdown)
  * [Kubernetes Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#practices?ts=markdown)
  * [Kubernetes Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#faqs?ts=markdown)
* [Multicloud Management with Al and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management?ts=markdown)
  * [Multicloud Kubernetes Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#multicloud?ts=markdown)
  * [How Does Kubernetes Facilitate Multicloud Management?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#how?ts=markdown)
  * [Multicloud Management Using AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#kubernetes?ts=markdown)
  * [Key AI and Kubernetes Capabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#key?ts=markdown)
  * [Strategic Planning for Multicloud Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#strategic?ts=markdown)
  * [Steps to Manage Multiple Cloud Environments with AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#steps?ts=markdown)
  * [Multicloud Management Challenges](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#challenges?ts=markdown)
  * [Kubernetes Multicloud Management with AI FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#faqs?ts=markdown)
* [What Is Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown)
  * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubernetes?ts=markdown)
  * [Kubernetes Architecture](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#architecture?ts=markdown)
  * [Nodes: The Foundation](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#nodes?ts=markdown)
  * [Clusters](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#clusters?ts=markdown)
  * [Pods: The Basic Units of Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#pods?ts=markdown)
  * [Kubelet](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubelet?ts=markdown)
  * [Services: Networking in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#services?ts=markdown)
  * [Volumes: Handling Persistent Storage](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#volumes?ts=markdown)
  * [Deployments in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#deployments?ts=markdown)
  * [Kubernetes Automation and Capabilities](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#capabilities?ts=markdown)
  * [Benefits of Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#benefits?ts=markdown)
  * [Kubernetes Vs. Docker](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#compare?ts=markdown)
  * [Kubernetes FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#faq?ts=markdown)
* [What Is Kubernetes Security Posture Management (KSPM)?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm?ts=markdown)
  * [Kubernetes Security Posture Management Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm?ts=markdown)
  * [What Is the Importance of KSPM?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#importance?ts=markdown)
  * [KSPM \& the Four Cs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm-cs?ts=markdown)
  * [Vulnerabilities Addressed with Kubernetes Security Posture Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vulnerabilities?ts=markdown)
  * [How Does Kubernetes Security Posture Management Work?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#how?ts=markdown)
  * [What Are the Key Components and Functions of an Effective KSPM Solution?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#components?ts=markdown)
  * [KSPM Vs. CSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vs?ts=markdown)
  * [Best Practices for KSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#best-practices?ts=markdown)
  * [KSPM Use Cases](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#use-cases?ts=markdown)
  * [Kubernetes Security Posture Management (KSPM) FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#faq?ts=markdown)
* [What Is Orchestration Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security?ts=markdown)
  * [Orchestration Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#orchestration-security?ts=markdown)
  * [Securing the Build Layer](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#build-layer?ts=markdown)
  * [Orchestration Access Security](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#access-security?ts=markdown)
  * [At-a-Glance Container Orchestration Security Checklist](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#checklist?ts=markdown)
  * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#faq?ts=markdown)
* [What Is Container Orchestration?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration?ts=markdown)
  * [Container Orchestration Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#container-orchestration?ts=markdown)
  * [Orchestration Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#tools?ts=markdown)
  * [Key Components of Orchestrators](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#components?ts=markdown)
  * [Container Orchestration and the Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#pipeline?ts=markdown)
  * [Benefits of Container Orchestration](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#benefits?ts=markdown)
  * [The Container Ecosystem](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#ecosystem?ts=markdown)
  * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#faq?ts=markdown)
* [How to Secure Kubernetes Secrets and Sensitive Data](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown)
  * [Kubernetes Secrets Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes?ts=markdown)
  * [Importance of Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#importance?ts=markdown)
  * [How Kubernetes Secrets Work](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes-secrets?ts=markdown)
  * [How Do You Store Sensitive Data in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#sensitive-data?ts=markdown)
  * [How Do You Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#secure-secrets?ts=markdown)
  * [Challenges in Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#challenges?ts=markdown)
  * [What Are the Best Practices to Make Kubernetes Secrets More Secure?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#best-practices?ts=markdown)
  * [What Tools Are Available to Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#tools?ts=markdown)
  * [Kubernetes Secrets FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#faq?ts=markdown)
* [Kubernetes and Infrastructure as Code](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code?ts=markdown)
  * [Infrastructure as Code in the Kubernetes Environment](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-environment?ts=markdown)
  * [Understanding IaC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac?ts=markdown)
  * [IaC Security Is Key](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac-security?ts=markdown)
  * [Kubernetes Host Infrastructure Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#host-infrastructure-security?ts=markdown)
  * [IAM Security for Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iam-security?ts=markdown)
  * [Container Registry and IaC Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-registry?ts=markdown)
  * [Avoid Pulling "Latest" Container Images](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-images?ts=markdown)
  * [Avoid Privileged Containers and Escalation](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#privileged-containers?ts=markdown)
  * [Isolate Pods at the Network Level](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#isolate-pods?ts=markdown)
  * [Encrypt Internal Traffic](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#encrypt?ts=markdown)
  * [Specifying Resource Limits](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#resource-limits?ts=markdown)
  * [Avoiding the Default Namespace](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#namespace?ts=markdown)
  * [Enable Audit Logging](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#audit-logging?ts=markdown)
  * [Securing Open-Source Kubernetes Components](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-components?ts=markdown)
  * [Kubernetes Security Across the DevOps Lifecycle](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#devops-lifecycle?ts=markdown)
  * [Kubernetes and Infrastructure as Code FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#faq?ts=markdown)
* [What Is the Difference Between Dockers and Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker?ts=markdown)
  * [Docker Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#defined?ts=markdown)
  * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#explained?ts=markdown)
  * [Docker and Kubernetes: Comparison of Containerization Platforms](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#platforms?ts=markdown)
  * [Kubernetes Vs. Docker: Complementary, Not Competitors](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#competitors?ts=markdown)
  * [Benefits of Integrating Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#benefits?ts=markdown)
  * [Use Cases and Applications for Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#usecases?ts=markdown)
  * [Dockers and Kubernetes FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#faqs?ts=markdown)
* [Securing Your Kubernetes Cluster: Kubernetes Best Practices and Strategies](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security?ts=markdown)
  * [What Is the Importance of a Secure Kubernetes Cluster?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#importance?ts=markdown)
  * [Understanding Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#security?ts=markdown)
  * [What Are Kubernetes Security Considerations and Security Best Practices?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#practices?ts=markdown)
  * [What Are Advanced Strategies for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#advanced?ts=markdown)
  * [Kubernetes Cluster Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#faqs?ts=markdown)
* [What Is a Host Operating System (OS)?](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers?ts=markdown)
  * [The Host Operating System (OS) Explained](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#os?ts=markdown)
  * [Host OS Selection](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#selection?ts=markdown)
  * [Host OS Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security?ts=markdown)
  * [Implement Industry-Standard Security Benchmarks](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#benchmarks?ts=markdown)
  * [Container Escape](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#container-escape?ts=markdown)
  * [System-Level Security Features](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security-features?ts=markdown)
  * [Patch Management and Vulnerability Management](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#patch-management?ts=markdown)
  * [File System and Storage Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#storage-security?ts=markdown)
  * [Host-Level Firewall Configuration and Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#firewall-configuration?ts=markdown)
  * [Logging, Monitoring, and Auditing](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#logging?ts=markdown)
  * [Host OS Security FAQs](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#faq?ts=markdown)
* [What Is Docker?](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown)
  * [Docker Explained](https://www.paloaltonetworks.com/cyberpedia/docker#docker?ts=markdown)
  * [Understanding Docker Containers](https://www.paloaltonetworks.com/cyberpedia/docker#understanding?ts=markdown)
  * [Core Components of Docker](https://www.paloaltonetworks.com/cyberpedia/docker#core?ts=markdown)
  * [What Platforms and Environments Does Docker Support?](https://www.paloaltonetworks.com/cyberpedia/docker#what?ts=markdown)
  * [How Does Docker Work?](https://www.paloaltonetworks.com/cyberpedia/docker#how?ts=markdown)
  * [Docker Tools](https://www.paloaltonetworks.com/cyberpedia/docker#tools?ts=markdown)
  * [Docker Use Cases and Benefits](https://www.paloaltonetworks.com/cyberpedia/docker#benefits?ts=markdown)
  * [Docker FAQ](https://www.paloaltonetworks.com/cyberpedia/docker#faqs?ts=markdown)
* [What Is Container Registry Security?](https://www.paloaltonetworks.com/cyberpedia/container-registry-security?ts=markdown)
  * [Container Registry Security Explained](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#container-registry?ts=markdown)
  * [Components of Container Registry Security](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#components?ts=markdown)
  * [Promoting Image and Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#artifact-integrity?ts=markdown)
  * [At-a-Glance Container Registry Security Checklist](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#checklist?ts=markdown)
  * [Container Registry FAQs](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#faq?ts=markdown)
* [What Is a Container?](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown)
  * [Containers Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#containers?ts=markdown)
  * [Understanding Container Components](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#components?ts=markdown)
  * [Container Infrastructure](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#infrastructure?ts=markdown)
  * [Know Your Container Types](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#types?ts=markdown)
  * [Harnessing the Efficiency of Containerization](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#efficiency?ts=markdown)
  * [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#faq?ts=markdown)
* [What Is Containerization?](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown)
  * [Why Is Containerization Important?](https://www.paloaltonetworks.com/cyberpedia/containerization#why?ts=markdown)
  * [Containers: A Modern Contender to VMs](https://www.paloaltonetworks.com/cyberpedia/containerization#containers?ts=markdown)
  * [To Container or Not to Container: Moving Applications to the Cloud](https://www.paloaltonetworks.com/cyberpedia/containerization#apps?ts=markdown)
  * [Architecture and Migration](https://www.paloaltonetworks.com/cyberpedia/containerization#architecture?ts=markdown)
  * [Choosing a Cloud Migration Method](https://www.paloaltonetworks.com/cyberpedia/containerization#migration?ts=markdown)
  * [When Micro Means Fast](https://www.paloaltonetworks.com/cyberpedia/containerization#micro?ts=markdown)
* [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/containerization#faq?ts=markdown)

# What Is Kubernetes Security?

5 min. read  
Table of Contents

* * [Kubernetes Security Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#kubernetes?ts=markdown)
  * [The Importance of Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#importance?ts=markdown)
  * [Application Security in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#application?ts=markdown)
  * [7 Common Kubernetes Security Mistakes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#mistakes?ts=markdown)
  * [Kubernetes Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#practices?ts=markdown)
* [Kubernetes Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#faqs?ts=markdown)

1. Kubernetes Security Explained

* * [Kubernetes Security Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#kubernetes?ts=markdown)
  * [The Importance of Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#importance?ts=markdown)
  * [Application Security in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#application?ts=markdown)
  * [7 Common Kubernetes Security Mistakes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#mistakes?ts=markdown)
  * [Kubernetes Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#practices?ts=markdown)
* [Kubernetes Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#faqs?ts=markdown)

Kubernetes security applies layered controls to containers, orchestration processes, and the surrounding cloud infrastructure. It safeguards against data breaches, service disruption, and unauthorized access by enforcing least privilege, securing APIs, and monitoring cluster activity. As Kubernetes bridges apps, infrastructure, and pipelines, its security becomes central to protecting cloud-native environments.

## Kubernetes Security Explained

Kubernetes security governs the protection of containerized [workloads](https://www.paloaltonetworks.com/cyberpedia/what-is-workload?ts=markdown) and their orchestration across distributed environments. It spans the full attack surface, from infrastructure to applications, leveraging controls purpose-built for the platform's ephemeral [containers](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) and declarative configuration model.

Every Kubernetes cluster introduces multiple layers of exposure --- the control plane, the dataplane, and the workloads themselves. Each layer requires a set of defensive measures. You must lock down the kube-apiserver, monitor access to etcd, secure pod-to-pod communication, enforce [least privilege](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access?ts=markdown) through [RBAC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown), and harden the nodes running the kubelet. A lapse in one area, such as an overpermissive role binding or exposed service, can unravel the system's security posture.

Kubernetes offers control surfaces, but not policy coordination or integration. Security teams must design the enforcement architecture around it, aligning [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown), SecOps, and CloudOps efforts. As attackers automate privilege escalation, [lateral movement](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement?ts=markdown), and runtime exploits, defense must shift from reactive tooling to preemptive policy and hardened defaults.

Kubernetes security must be declarative, enforced by design, and sustained throughout both the deployment process and the platform's ongoing operations.  
![Key components of Kubernetes security](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/kubernetes-security/key-components-of-kubernetes-security.jpg "Key components of Kubernetes security") ***Figure 1**: Key components of Kubernetes security*

## The Importance of Kubernetes Security

Organizations rely on the cloud and cloud-native architectures, and Kubernetes sits at the core of that ecosystem. Yet securing Kubernetes remains a persistent challenge. In our [State of Cloud-Native Security Report](https://www.paloaltonetworks.com/resources/research/state-of-cloud-native-security-2024?ts=markdown), 86% of respondents said security delays software releases, with nearly half regularly facing major hold-ups. Many of these delays stem from unresolved vulnerabilities and misconfigurations in [CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) and infrastructure orchestration --- areas Kubernetes directly controls. At the same time, 34% flagged CI/CD as a growing attack surface, and 43% cited API risks, both of which implicate Kubernetes. Like many cloud-native tools, in other words, organizations struggle with Kubernetes security.

Every delayed deployment costs the business time and money, on top of fines and revenue loss from security incidents.

## Application Security in Kubernetes

Kubernetes orchestrates containerized workloads across cloud infrastructure, managing how applications are deployed, scaled, and operated. While not a security tool, it defines critical enforcement points such as [access control](https://www.paloaltonetworks.com/cyberpedia/access-control?ts=markdown), workload isolation, network segmentation, and runtime behavior.

[Securing applications](https://www.paloaltonetworks.com/cyberpedia/appsec-application-security?ts=markdown) within the Kubernetes environment focuses on protecting applications from vulnerabilities and attacks by controlling what can access the cluster, how workloads interact, their privileges, and the flow of traffic.

Effective Kubernetes security requires coordination across the broader cloud environment, including [securing CI/CD pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security?ts=markdown), hardened infrastructure, identity management, and monitoring systems that detect drift and anomalous behavior in production.

### Infrastructure

Kubernetes runs on infrastructure (e.g., AWS, Azure), and that infrastructure needs strong baseline security standards such as hardened OS, [IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) controls, encrypted disks, etc. to prevent Kubernetes from inheriting concerns like node compromise and insecure storage.

If the infrastructure underlying the Kubernetes cluster is weak or vulnerable, the cluster is weak or vulnerable.

### Application

At the application layer, Kubernetes [orchestrates](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security?ts=markdown) your containers. Exposed ports and excessive permissions in your Kubernetes configuration can expose your app to compromise.

In 2022, [nearly a quarter million Kubernetes clusters were publicly exposed](https://www.darkreading.com/cyberattacks-data-breaches/exposed-kubernetes-clusters-kubelet-ports-can-be-abused-in-cyberattacks) through the default port 10250 used by the kubelet (the agent that runs on each node and ensures that all containers are running in a pod). Attackers can use this as an entry point to mine for crypto or execute commands inside containers or clusters. This vulnerability has its own [MITRE ATT\&CK framework](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack?ts=markdown) designation: [T1609](https://attack.mitre.org/techniques/T1609/) - Container Admin Command.

### CI/CD

Orchestration begins in your CI/CD pipeline, automating the testing, building, and deployment stages of the application lifecycle. Because Kubernetes deploys code, the CI/CD pipelines that produce that code should be secure via image scanning, configuration validation, and signed manifests.

* Image scanning such as [SAST](https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing?ts=markdown) and [SCA](https://www.paloaltonetworks.com/cyberpedia/what-is-sca?ts=markdown) help find weaknesses in your images early, before they replicate across all containers instantiated from the vulnerable image and enter runtime.
* Configuration validation ensures that the settings and instructions within a CI/CD pipeline's configuration file are correctly structured and free from errors. This prevents issues during the build, test, and deployment stages.
* Signed manifests verify your software packages and configurations are authentic and haven't been tampered with or altered. Manifests should be signed with a private key belonging to a trusted entity.

**Related Article** : [Improper Artifact Integrity Validation](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9?ts=markdown)

### Networks and APIs

Kubernetes uses a [flat network model](https://kubernetes.io/docs/concepts/cluster-administration/networking/), allowing pods to freely communicate within the cluster by default. Default settings, however, are typically less than ideal. In this case, the default enables attackers who compromise one pod to freely access all other resources in the cluster.

Network policies, such as virtual firewalls, secure Kubernetes pod-to-pod communications. Security teams should limit communication to the minimum necessary for workloads to function both ingress and egress and east-west traffic within the cluster.

Kubernetes usually employs service meshes like [Istio](https://istio.io/) and [Linkerd](https://linkerd.io/) to manage internal service-to-service traffic. This exposes APIs through ingress controllers and load balancers, so security depends on proper rules and protections within the mesh.

Use TLS to encrypt and secure communications for data transmitted over a network, [web application firewalls (WAFs)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-web-application-firewall?ts=markdown) help enforce rate limiting and enforce zero trust to ensure that only the necessary permissions are granted to each specific element.

### Identity and Access Management

Kubernetes comes with its own role based access controls, but it also ties into [CIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-ciem?ts=markdown) and SSO/IDP systems. Because Kubernetes supports so many authentication methods, managing them through RBAC alone can be complex, resulting in oversights that could expose the cluster.

[Kubernetes identity controls](https://www.gitguardian.com/nhi-hub/kubernetes-identity-management-best-practices-and-security-controls) must be tailored to fit the organization's broader policies and include IAM security procedures and zero trust enforcement, to ensure only authorized entities can interact with the cluster.

## 7 Common Kubernetes Security Mistakes

Even one of these common security mistakes and vulnerabilities found in Kubernetes deployments can cause data breaches, allow malicious actors access to vital resources, and cost your business in downtime and regulatory fines.

1. **Default security settings**: While Kubernetes comes out-of-the-box with many controls to allow for security, the complex default configurations and settings aren't secure enough.
2. **Misconfigurations**: Kubernetes' default settings leave clusters overly permissive, making misconfigurations one of the biggest threats. Admin-level privileges are granted too freely, and public dashboards are exposed.
3. **Exposed APIs**: If the Kubernetes API server is exposed or misconfigured, attackers can gain full cluster control, particularly if strong network policies haven't been enacted.
4. **Root permissions**: Similarly, running containers as root users or with unnecessary capabilities breaks container isolation, giving attackers more ways to persist or cause damage.
5. **Disabled or poor encryption**: Kubernetes secrets are base 64-encoded, but not encrypted by default, so make sure to enable encryption at rest. Teams may also store secrets (like API keys and passwords) in plaintext or ConfigMaps, making them easy pickings for attackers.
6. **Poor network segmentation**: Kubernetes security can be compromised without adequate network segmentation. By default, every pod in a cluster can communicate, making lateral movement easy for attackers.
7. **Lack of logging and monitoring**: Kubernetes clusters generate logs at various levels automatically. However, you might fail to detect suspicious activities and potential breaches if you aren't monitoring and reporting on these logs, as teams can't see into pod behavior, API usage, and audit logs.

## Kubernetes Security Best Practices

Organizations are continuously working to improve Kubernetes security, both internally and in the open-source project. These Kubernetes security best practices have been identified over many years to address key security issues in a Kubernetes environment.

### RBAC/Least Privilege

Enable [role-based access control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) to limit the access an attacker can gain to the cluster if they compromise one account. When users and accounts are given excessive trust, they increase the attack surface. To mitigate this, create Roles or ClusterRoles, which contain rules representing permissions. A Role sets permissions within a particular namespace. ClusterRoles can grant the same permissions as a Role, but they're cluster-scoped instead of namespace-scoped, meaning they provide access to cluster-scoped resources, nonresource endpoints, and namespaced resources across all namespaces.

Bind these Roles/ClusterRoles to users, groups, and/or service accounts --- and apply [least privilege](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access?ts=markdown). Support the principle of least privilege by adding namespaces for resource isolation, applying pod security policies, and securely managing secrets.

### Use Pod Security Admission (PSA)

[PSA](https://kubernetes.io/docs/concepts/security/pod-security-admission/) enforces security standards on pod definitions at creation, helping you define how to restrict pod behavior. Prevent risky pod configurations using three pod security levels: privileged, baseline, and restricted.

* **Privileged**: Unrestricted, with the widest level of permissions, and allows for known privilege escalations. Intended for trusted users managing system- and infrastructure-level workloads.
* **Baseline**: Minimal restrictions and prevents known privilege escalations. Intended for application operators and noncritical app developers.
* **Restricted**: Heavy restrictions. Intended for security-critical app developers and operators, and lower-trust users.

You can also choose what mode PSA operates in when it detects a potential violation. Enforce rejects a pod, audit allows a pod but triggers an audit annotation to be added to the event and warn allows a pod but triggers a user-facing warning.

### Implement Network Policies

By default, Kubernetes pods aren't isolated. They accept traffic from any source. Network policies act as a mini firewall inside your cluster, controlling which pods can talk to which pods. Without policies, all pods can talk to each other, and an attacker in one pod can easily move laterally.

You can also use [service meshes](https://glossary.cncf.io/service-mesh/) (like Istio or Linkerd) to manage communication between services (clusters, pods, externally, etc.). They add observability, reliability, and security features across all services within the mesh, without needing to encode the features directly into each service.

### Encrypt Secrets and etcd

Secrets contain the necessary information to decrypt data you've protected through encryption and are often stored in [etcd](https://etcd.io/docs/), a key value store used by Kubernetes for all cluster data. Storing secrets as plaintext or ConfigMaps hands attackers the keys to your Kubernetes kingdom.

Use the advanced encryption standard (AES) to [encrypt secrets and other sensitive data](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/) stored in etcd at rest. Kubernetes offers built-in support for secrets, but you can also integrate external [secrets management](https://www.paloaltonetworks.com/cyberpedia/secrets-management?ts=markdown) solutions with stronger security features.

### Restrict Access to the Kubernetes API

The API server is the nucleus of your cluster and should only be accessed by trusted users, systems, and IPs. Use TLS to encrypt communications, firewalls and network policies to restrict IP ranges, enforce authentication and authorization, and use audit logs to track access. If integrating with SSO, be sure to enable \[mTLS\](https://builtin.com/software-engineering-perspectives/mutual-tls-tutorial#:~:text=Mutual%20transport%20layer%20security%20(mTLS,Image%3A%20Shutterstock%20%2F%20Built%20In)and [OIDC](https://openid.net/developers/how-connect-works/). The Kubernetes API should be your most protected and monitored resource.

### Use Image Scanning Tools

Your containers, clusters, and pods should be scanned to identify vulnerabilities, but manual scanning is time-consuming and inefficient. Image scanning tools automatically review containers, container images, image registries, and dependencies for [CVEs](https://www.cve.org/) and misconfigurations. Run scans at multiple levels during CI/CD:

* **Build**: As part of the build process, run scans to discover vulnerabilities. If one is detected, the build should fail, preventing the image vulnerability from reaching production.
* **Registry**: Scan images of software packages after the build is complete, as some vulnerabilities can't be detected during the build phase.
* **Predeployment**: Before deploying an image, scan it for vulnerabilities. Kubernetes allows you to call admission webhooks when deploying new workloads, automating the scanning process.
* **Runtime Workload**: If an image has passed all the previous scans, it will likely be placed into production. Implement scanning to detect vulnerabilities in the running workload as one added layer of protection.

Always block deployments with high-severity CVEs to avoid shipping containers with outdated libraries, rootkits, or cryptominers.

### Regularly Audit Cluster Configurations

Auditing allows administrators of Kubernetes environments to review a sequence of actions in a cluster and answer who/what/when/where/why/how questions about certain events. Kubernetes provides native auditing features that continuously log, monitor, and audit all activities to identify vulnerabilities and threats. [CNAPPs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown) and other security tools like [EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr?ts=markdown) also offer continuous logging, monitoring, and auditing of activities to identify vulnerabilities and threats,

### Monitor with a Cloud Workload Protection Platform (CWPP)

[Cloud workload protection platforms (CWPPs)](<https://www.paloaltonetworks.com/cyberpedia/what-is-cwpp-cloud-workload-protection-platform#:~:text=A%20cloud%20workload%20protection%20platform%20(CWPP)%20is%20a%20security%20solution,confidentiality%20and%20availability%20of%20workloads.?ts=markdown>) protect workloads by providing visibility into activity, detecting threats, and applying security policies across various environments. They offer container firewalling and forensics and use machine learning and rules-based threat detection to respond with precision.

## Kubernetes Security FAQs

### What is image provenance?

Image provenance establishes the verifiable origin, authorship, and integrity of a container image throughout the software supply chain. It includes cryptographic signatures, build metadata, and policy-enforced attestations. Provenance enables enforcement of trusted sources, image immutability, and compliance validation during deployment and runtime policy evaluation.

### What is mutual TLS in a service mesh?

Mutual TLS (mTLS) authenticates both ends of a connection and encrypts all service-to-service traffic within the mesh. Proxies manage certificate issuance, rotation, and validation automatically, using a built-in certificate authority. mTLS eliminates implicit trust between services and ensures traffic can't be intercepted or spoofed.

### What is a sidecar proxy?

A sidecar proxy runs alongside a workload inside the same pod, intercepting all inbound and outbound traffic. It offloads authentication, encryption, routing, and telemetry to the mesh's data plane, which abstracts network security from application logic and centralizes policy enforcement at runtime.

### What is a node proxy?

A node proxy, commonly kube-proxy, routes service traffic across nodes. It manages virtual IPs and forwards packets to the correct pod using iptables, IPVS, or eBPF.

### What is a runtime class in Kubernetes?

A runtime class selects the container runtime for a pod, enabling a cluster to support multiple runtimes. Administrators can isolate workloads by applying different runtimes like gVisor or Kata for sandboxing, while performance-sensitive workloads can use native runtimes. Runtime class is specified in the pod spec.

### What is seccomp in Kubernetes?

Seccomp filters system calls made by containers, reducing the Linux kernel's attack surface. Kubernetes allows administrators to apply seccomp profiles to pods, restricting the available syscalls. Profiles can be unconfined, runtime default, or custom, and they integrate with container runtimes through the pod's securityContext.

### What is AppArmor?

AppArmor enforces per-container security policies at the kernel level using path-based access control. It restricts file and capability usage based on predefined profiles. Kubernetes enables AppArmor via annotations when the host OS supports it, offering an additional layer of mandatory access control alongside other hardening tools.

### What is SELinux?

SELinux (Security-Enhanced Linux) enforces mandatory access controls using a label-based policy model tied directly to kernel objects. It restricts process capabilities based on context, not user identity, and operates in one of three modes: enforcing, permissive, or disabled. SELinux isolates containers beyond filesystem namespaces, improving workload confinement.

### What is CRI-O?

CRI-O is a lightweight, Kubernetes-native container runtime built to comply with the Container Runtime Interface (CRI). It integrates directly with Kubernetes and uses Open Container Initiative (OCI) standards for images and runtime operations. CRI-O removes Docker dependencies and supports low-level runtimes like runc and Kata Containers.

### What is containerd?

Containerd is an industry-standard container runtime that manages image lifecycles, storage, execution, and low-level networking. It operates under Kubernetes via the CRI plugin, offering a daemon-based architecture with strong separation between runtime logic and orchestration layers. Containerd forms the core of Docker's runtime engine but also runs standalone in production clusters.

### What is a sandboxed container?

A sandboxed container isolates workloads using an additional layer of virtualization, such as lightweight VMs or user-space kernel emulation. It provides stronger boundaries than namespaces and cgroups alone. Technologies like gVisor, Kata Containers, or Firecracker implement sandboxing to mitigate kernel escape and container breakout attacks.

### What is keyless signing?

Keyless signing uses short-lived ephemeral keys tied to an identity provider, eliminating the need for developers to manage static private keys. During signing, a certificate authority issues an identity-bound certificate, and transparency logs record the signature. Keyless methods improve auditability and reduce long-term key compromise risk.

### What is a cosign policy?

A cosign policy defines rules for validating container images using the Cosign tool, including required signatures, trusted certificate authorities, and attestation conditions. Integrated with Kubernetes admission control, cosign policies enforce provenance checks during deployment, blocking unverified or unsigned artifacts based on defined trust constraints.

### What is Sigstore?

Sigstore is a suite of open-source tools for signing, verifying, and storing software artifacts. It supports transparency logs, keyless signatures, and identity-bound attestations using OIDC. Sigstore integrates with CI/CD pipelines and Kubernetes admission controllers to secure supply chains without managing long-lived signing keys.

### What is SPIFFE?

SPIFFE (Secure Production Identity Framework for Everyone) defines a standard for issuing identity documents --- called SVIDs --- to workloads using X.509 certificates or JWTs. These identities are scoped by trust domains and verified via mTLS. SPIFFE enables workload authentication without secrets, using strong cryptographic identity across distributed systems.

### What is SPIRE?

SPIRE (SPIFFE Runtime Environment) is a production-grade implementation of the SPIFFE specification. It consists of a server and node agents that automate workload identity issuance, manage trust bundles, and integrate with cloud platforms, container runtimes, and orchestrators. SPIRE securely binds identity to workloads using attested platform metadata.

### What is Kubernetes PKI?

Kubernetes uses a public key infrastructure to secure communication between cluster components. The control plane issues and manages X.509 certificates for the API server, kubelets, controllers, and other agents. PKI ensures mutual TLS, verifies component identity, and underpins secure admission, authentication, and cluster bootstrapping.
Related Content  
[The Definitive Guide to Container Security
From host operating system to intricate Kubernetes configurations, this expansive guide equips you with the tools to secure every layer of your containerized environment.](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide?ts=markdown)  
[Kubernetes Fundamentals
This guide by The New Stack imparts a foundational understanding of Kubernetes, how it delivers the capabilities of cloud-scale computing, its adoption patterns and its role in a c...](https://www.paloaltonetworks.com/resources/ebooks/the-state-of-the-kubernetes-ecosystem?ts=markdown)  
[Container \& Kubernetes Security
Secure Kubernetes® and other container platforms on any public or private cloud, from code to cloud with Cortex Cloud.](https://www.paloaltonetworks.com/cortex/cloud/container-security?ts=markdown)  
[Container Security 101
Container Security 101 will give you a fundamental understanding of what containers are and why they're so important in cloud security.](https://www.paloaltonetworks.com/resources/ebooks/container-security-101?ts=markdown)  
![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20Kubernetes%20Security%3F&body=Kubernetes%20security%20protects%20containerized%20applications%20by%20securing%20orchestration%2C%20infrastructure%2C%20APIs%2C%20and%20access%20to%20ensure%20resilience%2C%20compliance%2C%20and%20zero%20trust.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/kubernetes-security)  
Back to Top  
[Previous](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown) What Is Container Runtime Security?  
[Next](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management?ts=markdown) Multicloud Management with Al and Kubernetes  
{#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2025 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language