Container Runtime Hardening for DevOps: Reducing Attack Surface in Kubernetes Production Clusters

Abstract

Production Kubernetes environments are exposed to threats ranging from misconfigured permissions to compromised images. This study presents a container runtime hardening methodology that integrates least-privilege execution, workload isolation, image scanning gates, and runtime anomaly detection. The paper proposes a security baseline aligned with operational realities, emphasizing measurable risk reduction without disrupting delivery cadence. Results demonstrate fewer privilege escalation paths, improved control visibility, and lower mean time to containment during simulated compromise events.