I audit Docker and Kubernetes workloads for security misconfigurations against CIS Benchmarks and NSA/CISA Kubernetes Hardening Guidelines — covering everything from container runtime settings to RBAC, network policies, and image security.
Review scope: workload manifests (containers running as root, missing resource limits, privileged containers, hostPID/hostNetwork misuse, writable root filesystems); RBAC configuration (over-permissive ClusterRoles, wildcard rules, unnecessary cluster-admin bindings); network policies (unrestricted pod-to-pod traffic, missing namespace isolation); container image security (base image vulnerabilities via Trivy/Grype, image provenance); and runtime security configuration (seccomp profiles, AppArmor, Falco rules).
Deliverables: CIS Benchmark score, severity-rated findings report with hardened manifest examples, remediation guidance, and recommended admission controller policies (OPA Gatekeeper or Kyverno) to prevent recurrence.
Works from exported YAML manifests or live cluster read privs. Image scanning requires registry rights.