Safeguard
Cloud Security

Securing Managed Kubernetes: EKS, AKS, and GKE Compared

A cross-cloud guide to hardening managed Kubernetes — the shared responsibility line, cloud IAM-to-pod integration, network policy, Pod Security Standards, and node hardening across EKS, AKS, and GKE.

Marcus Chen
Cloud Security Engineer
5 min read

Managed Kubernetes changed the security equation in a subtle way: the cloud provider now runs and patches the control plane, but everything above the API server — your workloads, RBAC, network policy, and how pods get cloud credentials — is still yours. Teams routinely misread that line, assuming "managed" means "secured," and end up running privileged pods with node-level cloud permissions inside a flat network. EKS, AKS, and GKE each solve the same problems with different primitives, and knowing the equivalents keeps you from leaving a gap when you run more than one. This guide walks the shared controls and shows the per-cloud mechanism for each.

Know Where the Shared Responsibility Line Falls

On all three platforms, the provider secures and upgrades the managed control plane (the API server, etcd, scheduler). You are responsible for worker node configuration (except in fully managed modes like GKE Autopilot), Kubernetes RBAC, network policy, workload hardening, and the images you run. GKE Autopilot shifts more node responsibility to Google; EKS Fargate and AKS with virtual nodes do similar for specific workloads. Everywhere else, node hardening is on you.

Give Pods Cloud Credentials the Right Way

The worst pattern is letting pods inherit the node's cloud identity — a compromised pod then has whatever the node role holds. Every provider has a purpose-built way to scope credentials to a pod instead:

  • EKS — IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, binding an IAM role to a Kubernetes service account so only pods using that SA get the role.
  • AKS — Microsoft Entra Workload ID, federating a Kubernetes service account to an Entra application/managed identity.
  • GKE — Workload Identity, binding a Kubernetes service account to a Google service account.
# GKE Workload Identity: the SA a pod runs as maps to a Google SA
apiVersion: v1
kind: ServiceAccount
metadata:
  name: orders-api
  namespace: prod
  annotations:
    iam.gke.io/gcp-service-account: orders-api@my-project.iam.gserviceaccount.com

Whichever platform, the rule is the same: scope the cloud role to exactly what the pod needs, and never rely on the node role for workload permissions.

Default-Deny the Network

A fresh cluster lets every pod talk to every other pod. Apply a default-deny NetworkPolicy per namespace and open only the flows you need. On GKE and AKS this requires a network policy-capable dataplane (GKE Dataplane V2 / Cilium, Azure CNI with network policy); on EKS you need a CNI that enforces policy, such as the VPC CNI with policy support or Cilium.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: prod
spec:
  podSelector: {}
  policyTypes: ["Ingress"]

Enforce Pod Security Standards

PodSecurityPolicy was removed in Kubernetes 1.25; the replacement is Pod Security Standards enforced by the built-in Pod Security Admission controller, or a policy engine like Kyverno or OPA Gatekeeper for richer rules. Enforce the restricted profile on application namespaces so pods can't run privileged, as root, or with host namespaces.

apiVersion: v1
kind: Namespace
metadata:
  name: prod
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/enforce-version: latest

Lock Down RBAC and the API Endpoint

Scope Kubernetes RBAC to Roles in namespaces rather than ClusterRoles wherever possible, and never bind cluster-admin to a service account used by a workload. Restrict access to the API server: EKS supports private cluster endpoints, AKS supports private clusters and authorized IP ranges, and GKE supports private clusters with authorized networks. Integrate cluster authentication with the cloud IdP (Entra ID on AKS, IAM on EKS, Google identity on GKE) so access follows your central identity lifecycle.

Keep Nodes and the Cluster Patched

"Managed" covers the control plane, but the version lifecycle is still partly yours. Kubernetes minor versions age out of support on all three platforms, and a cluster left on an unsupported version stops receiving security patches. Enable automatic node OS upgrades and set up node auto-upgrade (or use Autopilot/managed node groups that handle it) so worker nodes pick up kernel and container-runtime fixes without manual intervention. Track control-plane version support windows and plan upgrades before a version reaches end of life — falling behind forces a rushed multi-version jump later, which is far riskier than staying current. Base image freshness matters just as much: a node can be fully patched while the containers on it run a months-old image full of known CVEs.

Cross-Cloud Control Map

ControlEKSAKSGKE
Pod-scoped cloud credsIRSA / Pod IdentityEntra Workload IDWorkload Identity
Network policy dataplaneVPC CNI policy / CiliumAzure CNI / CiliumDataplane V2 (Cilium)
Private API endpointPrivate clusterPrivate cluster / IP rangesPrivate cluster + authorized nets
Managed node hardeningFargate (partial)Virtual nodes (partial)Autopilot
BenchmarkCIS EKSCIS AKSCIS GKE

How Safeguard Helps

Most of what breaks a managed cluster is decided in YAML and Dockerfiles that get reviewed in a pull request. Safeguard's infrastructure-as-code scanning reads your Kubernetes manifests and Terraform for privileged pods, missing securityContext hardening, cluster-admin bindings, and absent network policies — flagged against the exact line before merge, so the restricted-profile violation never reaches the cluster. The images your pods run are checked by container image scanning for vulnerable packages and root execution, and the application dependencies inside them by software composition analysis with reachability analysis, so you know which running pods actually reach a given CVE. Griffin, Safeguard's AI triage engine, ranks findings by real exposure across your EKS, AKS, and GKE fleet. Because it runs inside your pipeline, an insecure manifest can be blocked at merge rather than discovered live in the cluster. Teams weighing this build-time model against a runtime container platform often review the Safeguard vs Aqua comparison.

Harden your clusters before they deploy — get started free or read the documentation.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.