☸️ Kubernetes Deployment Review Checklist
Intro: This checklist gives a practical review flow for workload manifests, Helm charts, and deployment policy assumptions.
Best time to use this checklist
Use it when a new workload is introduced, a chart changes materially, or a service gains new privileges, exposure, or data sensitivity.
Stop-the-line conditions
- privileged or near-privileged workload settings without strong justification;
- service account or cloud identity with excessive privilege;
- missing network policy or namespace isolation where it matters;
- no useful logs, runtime alerts, or audit trail for a sensitive workload.
Text-first review prompts
- What service account or workload identity does the workload run as?
- Is the pod security context using safe defaults for user, filesystem, capabilities, and privilege escalation?
- What network paths can reach the workload, and where can it reach out?
- What secrets, config, and external systems does the workload depend on?
- What runtime or audit signals would show suspicious behavior later?
- What admission or policy controls would stop dangerous manifest patterns?
Evidence table
| Control area | What to verify | Typical evidence |
|---|---|---|
| Identity | Service account and cloud identity are scoped correctly | manifest, IAM mapping |
| Pod security | Security context avoids avoidable privilege | deployment YAML, policy result |
| Networking | Ingress, egress, and namespace boundaries are intentional | network policy, service config |
| Secrets/config | Sensitive material is injected safely and minimally | secret refs, external secrets |
| Observability | Audit, runtime, and service telemetry exist | dashboard, Falco/Tetragon/KubeArmor config |
Common misses
- assuming cluster-level guardrails remove the need to review workload manifests;
- forgetting that egress to metadata or internal services can become the real exploit path;
- using the default service account casually;
- treating a passing deployment as the same thing as a secure deployment.
Related pages
- Kubernetes Baseline and Hardening
- Runtime Investigation Playbook for Kubernetes and Containers
- Kubernetes Network Policy Patterns
---Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.