Managed Kubernetes changed the security equation in a subtle way: the cloud provider now runs and patches the control plane, but everything above the API server — your workloads, RBAC, network policy, and how pods get cloud credentials — is still yours. Teams routinely misread that line, assuming "managed" means "secured," and end up running privileged pods with node-level cloud permissions inside a flat network. EKS, AKS, and GKE each solve the same problems with different primitives, and knowing the equivalents keeps you from leaving a gap when you run more than one. This guide walks the shared controls and shows the per-cloud mechanism for each.
Know Where the Shared Responsibility Line Falls
On all three platforms, the provider secures and upgrades the managed control plane (the API server, etcd, scheduler). You are responsible for worker node configuration (except in fully managed modes like GKE Autopilot), Kubernetes RBAC, network policy, workload hardening, and the images you run. GKE Autopilot shifts more node responsibility to Google; EKS Fargate and AKS with virtual nodes do similar for specific workloads. Everywhere else, node hardening is on you.
Give Pods Cloud Credentials the Right Way
The worst pattern is letting pods inherit the node's cloud identity — a compromised pod then has whatever the node role holds. Every provider has a purpose-built way to scope credentials to a pod instead:
- EKS — IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, binding an IAM role to a Kubernetes service account so only pods using that SA get the role.
- AKS — Microsoft Entra Workload ID, federating a Kubernetes service account to an Entra application/managed identity.
- GKE — Workload Identity, binding a Kubernetes service account to a Google service account.
# GKE Workload Identity: the SA a pod runs as maps to a Google SA
apiVersion: v1
kind: ServiceAccount
metadata:
name: orders-api
namespace: prod
annotations:
iam.gke.io/gcp-service-account: orders-api@my-project.iam.gserviceaccount.com
Whichever platform, the rule is the same: scope the cloud role to exactly what the pod needs, and never rely on the node role for workload permissions.
Default-Deny the Network
A fresh cluster lets every pod talk to every other pod. Apply a default-deny NetworkPolicy per namespace and open only the flows you need. On GKE and AKS this requires a network policy-capable dataplane (GKE Dataplane V2 / Cilium, Azure CNI with network policy); on EKS you need a CNI that enforces policy, such as the VPC CNI with policy support or Cilium.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: prod
spec:
podSelector: {}
policyTypes: ["Ingress"]
Enforce Pod Security Standards
PodSecurityPolicy was removed in Kubernetes 1.25; the replacement is Pod Security Standards enforced by the built-in Pod Security Admission controller, or a policy engine like Kyverno or OPA Gatekeeper for richer rules. Enforce the restricted profile on application namespaces so pods can't run privileged, as root, or with host namespaces.
apiVersion: v1
kind: Namespace
metadata:
name: prod
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
Lock Down RBAC and the API Endpoint
Scope Kubernetes RBAC to Roles in namespaces rather than ClusterRoles wherever possible, and never bind cluster-admin to a service account used by a workload. Restrict access to the API server: EKS supports private cluster endpoints, AKS supports private clusters and authorized IP ranges, and GKE supports private clusters with authorized networks. Integrate cluster authentication with the cloud IdP (Entra ID on AKS, IAM on EKS, Google identity on GKE) so access follows your central identity lifecycle.
Keep Nodes and the Cluster Patched
"Managed" covers the control plane, but the version lifecycle is still partly yours. Kubernetes minor versions age out of support on all three platforms, and a cluster left on an unsupported version stops receiving security patches. Enable automatic node OS upgrades and set up node auto-upgrade (or use Autopilot/managed node groups that handle it) so worker nodes pick up kernel and container-runtime fixes without manual intervention. Track control-plane version support windows and plan upgrades before a version reaches end of life — falling behind forces a rushed multi-version jump later, which is far riskier than staying current. Base image freshness matters just as much: a node can be fully patched while the containers on it run a months-old image full of known CVEs.
Cross-Cloud Control Map
| Control | EKS | AKS | GKE |
|---|---|---|---|
| Pod-scoped cloud creds | IRSA / Pod Identity | Entra Workload ID | Workload Identity |
| Network policy dataplane | VPC CNI policy / Cilium | Azure CNI / Cilium | Dataplane V2 (Cilium) |
| Private API endpoint | Private cluster | Private cluster / IP ranges | Private cluster + authorized nets |
| Managed node hardening | Fargate (partial) | Virtual nodes (partial) | Autopilot |
| Benchmark | CIS EKS | CIS AKS | CIS GKE |
How Safeguard Helps
Most of what breaks a managed cluster is decided in YAML and Dockerfiles that get reviewed in a pull request. Safeguard's infrastructure-as-code scanning reads your Kubernetes manifests and Terraform for privileged pods, missing securityContext hardening, cluster-admin bindings, and absent network policies — flagged against the exact line before merge, so the restricted-profile violation never reaches the cluster. The images your pods run are checked by container image scanning for vulnerable packages and root execution, and the application dependencies inside them by software composition analysis with reachability analysis, so you know which running pods actually reach a given CVE. Griffin, Safeguard's AI triage engine, ranks findings by real exposure across your EKS, AKS, and GKE fleet. Because it runs inside your pipeline, an insecure manifest can be blocked at merge rather than discovered live in the cluster. Teams weighing this build-time model against a runtime container platform often review the Safeguard vs Aqua comparison.
Harden your clusters before they deploy — get started free or read the documentation.