We're on EKS with 4 nodes. Is this overkill?

No — most of the controls (RBAC scope-down, network policies, admission controllers) cost zero CPU/memory and are equally important on a 4-node cluster as a 40-node cluster. The complexity of policies scales with workload count, not node count. If anything, smaller clusters benefit more because there's less ambient complexity hiding security gaps.

Will network policies break our existing workloads?

Possibly, in the short term — that's why we deploy in stages. We start with audit-mode (log violations without blocking), let the team review for a week, then flip to enforce-mode after fixing any legitimate flows that were undocumented. Average startup has 2-5 unexpected pod-to-pod flows discovered this way.

OPA Gatekeeper vs Kyverno — which do you recommend?

Kyverno for most startups. Lower learning curve (YAML policies vs Rego), cleaner failure modes, faster admission latency. We use Gatekeeper when there's a specific need for the broader OPA ecosystem (e.g., a team already running Conftest in CI). Either way, the policies we ship are the same in intent.

Does this cover service mesh (Istio / Linkerd)?

No — service mesh is a separate concern with its own audit scope (mTLS configuration, traffic policy, observability integration). For most startups under 25 engineers, service mesh is premature complexity. We can scope a mesh implementation as a follow-on engagement if your team has the bandwidth to maintain one.

Can this evidence pack be used for SOC 2 / ISO 27001 / RBI VAPT?

Yes — the CIS Kubernetes Benchmark gap analysis + remediation evidence is one of the most-cited artifacts SOC 2 auditors look for in the Communications & Operations Management trust services criteria. RBI's VAPT requirements for fintech also explicitly include container/orchestration scope. We format the evidence to match each framework's expectations.

All Services

Kubernetes Security Audit for Startups in India

Production Kubernetes cluster audit + hardening for Indian startups: RBAC review, network policies, admission controllers, supply-chain security, pod-security standards. Built for 3-15 node EKS / GKE / AKS clusters running real workloads, not enterprise mesh complexity.

5 days for the snapshot, 3 weeks for audit + remediation, plus optional monthly retainer for policy maintenance

The Problem

Most Indian startups run Kubernetes badly. Cluster created via the cloud Console with default RBAC (which gives every workload more permissions than it needs). No network policies (so a compromised pod can reach every other pod and exfiltrate data laterally). No admission controllers (so pods spin up with privileged access, host paths mounted, no resource limits). No image scanning in CI (so vulnerable container images ship to prod). The audit pattern is consistent: 80% of clusters fail at least 6 of the CIS Kubernetes Benchmark's high-severity controls. The fix isn't enterprise-grade service mesh — it's the basic guardrails that should have been there from cluster creation.

Who This Is For

Indian startups running production Kubernetes — typically 3-15 nodes on EKS / GKE / AKS, 10-50 engineers, with at least one workload that processes user data or hits the public internet. Especially relevant if you're approaching SOC 2 / ISO 27001 audit, or your cluster grew organically over 6-12 months without a security pass.

Typical Outcomes

All cluster-admin ServiceAccounts removed or scoped down — typical reduction is 60-80% of standing privileges

Default-deny network policies enforcing zero-trust posture between workloads

Privileged pod creation blocked at admission — no more accidental host-fs mounts shipping to prod

Container image vulnerabilities caught in CI before they ship, not in production by GuardDuty

API audit log queryable for any incident-investigation question (who did what, when, with which credentials)

CIS Kubernetes Benchmark score from typical 40-60% pre-audit to 85%+ post-engagement

Auditor evidence pack ready for SOC 2 / ISO 27001 / RBI VAPT scope

Timeline Options

K8s Security Snapshot (5 days)

RBAC audit + flagged over-privileged ServiceAccounts
CIS Kubernetes Benchmark gap analysis
Top 10 prioritized findings with severity + estimated fix time
1-hour briefing with your platform team

Audit + Critical Remediation (3 weeks)

Everything in K8s Security Snapshot
Network policies deployed (default-deny + per-workload)
OPA Gatekeeper / Kyverno deployed with the top 8 policies
Trivy CI integration + private registry hardening
Audit logging enabled + log shipping configured
Documentation handover for your team to maintain

Audit + Full Remediation + Retainer (3 weeks + monthly)

Everything in Audit + Critical Remediation
Pod Security Standards enforcement + workload migration
Secrets migration to External Secrets Operator
Falco runtime detection deployed where appropriate
Monthly retainer: policy update reviews, RBAC drift detection, image vuln triage, CIS benchmark re-scoring

This might not be a fit if...

You're running a single-node test cluster or local k3s / kind for development only
You've already deployed Istio / Linkerd service mesh with full mTLS and a security team to maintain it
You want a service mesh implementation (mTLS, traffic shaping, observability) — that's a separate engagement; this audit covers the cluster-level controls beneath the mesh
Your cluster is on a managed PaaS (Render, Railway, Fly.io) where you don't have direct kubectl access

What You Get

RBAC audit — every ServiceAccount, Role, and ClusterRole reviewed for least privilege; flagged ServiceAccounts with cluster-admin or wildcard permissions; remediation manifests provided

Network policy implementation — default-deny baseline, then per-namespace + per-workload policies allowing only the traffic that actually needs to flow

Admission controller setup — OPA Gatekeeper or Kyverno with policies blocking privileged pods, hostPath mounts, missing resource limits, latest tags, and other top failure modes

Pod Security Standards enforcement — namespace-level restricted / baseline / privileged labels, with a migration plan for any workload that currently can't meet restricted

Image supply chain — Trivy scanning integrated into CI/CD, image signature verification (cosign), private registry hardening, removal of latest tags from production deployments

Secrets management — replacement of any plain Kubernetes Secret holding sensitive data with External Secrets Operator backed by AWS Secrets Manager / GCP Secret Manager / Azure Key Vault

Audit logging — Kubernetes API audit policy enabled and shipped to centralized log store, queryable for incident investigation

etcd encryption verification — encryption at rest verified active, key rotation cadence documented

Node hardening — verified OS patching cadence, restricted SSH access, host-level CIS controls applied via DaemonSet (Falco for runtime detection where appropriate)

CIS Kubernetes Benchmark gap analysis — full benchmark scored, prioritized remediation roadmap, evidence pack for SOC 2 / ISO 27001 auditors

The Transformation

Before

Default RBAC — most workloads have list-secrets-cluster-wide permissions they don't need
No network policies — any pod can talk to any other pod, any namespace
No admission controllers — privileged pods, hostPath mounts, missing resource limits all permitted
Latest tags in production manifests — image-version drift on every pod restart
Plain Kubernetes Secrets holding API keys, AWS creds, database passwords
No K8s API audit log — incident investigation = guesswork

After

RBAC scoped to least privilege per workload, no wildcard permissions outside intentional break-glass
Default-deny network policy + explicit allow rules per workload pair, lateral movement blocked
OPA Gatekeeper / Kyverno enforcing top failure modes at admission
Image SHAs pinned in production, no surprise version drift
External Secrets Operator pulling from AWS Secrets Manager / equivalent, secrets never plain-text in etcd
K8s API audit log shipped to centralized store, every API call attributable

Engagement Models

Project-based

Fixed scope, fixed timeline, fixed price. Ideal for specific security initiatives.

Retainer

Ongoing support with priority response. Perfect for continuous security needs.

What influences pricing?

Team size and environment complexity
Timeline and urgency requirements
Scope of systems and platforms
Ongoing support and maintenance needs

Book a call to discuss your situation

Frequently Asked Questions

Ready to get started?

Book a 20-minute call to discuss your specific situation.

Book Your Free Call

Explore Other Services

Cloud Audit

We audit your AWS, GCP, or Azure environment, finding the ghost costs draining your runway and the security gaps hiding underneath. Most teams find both within the first week.

Pipeline Security

Your pipeline is deploying secrets to production and you probably don't know it. We audit and harden your CI/CD, catching vulnerabilities before they ship, not after.

Incident Readiness

When production breaks, does your team have a playbook, or does everyone just Slack the one person who knows the system? We build the runbooks, alerts, and processes so the next incident doesn't become a war story.

RBI Fintech Compliance

RBI Master Direction technical compliance for payment aggregators, NBFCs, and digital lending platforms headquartered in Bangalore. Data localization, encryption, MFA, 6-hour incident reporting, VAPT readiness, and CERT-In empanelled audit prep — built into your AWS / GCP / Azure infrastructure, not into a binder nobody reads.

DPDP Compliance

Get your startup ready for the Digital Personal Data Protection Act before May 2027 enforcement. Data inventory, consent management, 72-hour breach notification pipeline, DPO scope, child-data special handling — built into your codebase, not into a privacy policy nobody reads. Penalty exposure up to ₹250 crore.

AWS Baseline (India)

The 12 AWS security controls every Indian seed startup should turn on this afternoon — region-locked to ap-south-1, DPDP-aware, RBI-overlay-ready. Same opinionated baseline we open-sourced as aws-startup-security-baseline. Built for ₹40k-month retainers, not enterprise CAPEX.

SOC 2 (India)

SOC 2 Type I + Type II readiness for Indian seed startups, priced in rupees. We get you to attestation for ₹15-30L all-in instead of the ₹35L+ Western default. India-empanelled auditor partnerships, Vanta / Drata / Sprinto / Scrut integration, and a build cadence calibrated to Indian engineering economics.

See what your cloud is hiding.

Book a 20-minute infrastructure review. No pitch, just practical insights.

Book a 20-min Infra Review