Managed K8s Best Practices
Managed Kubernetes moves the control plane off your plate. It does not move workload security, network policy, upgrades, or backups.
These practices apply to EKS, GKE, and AKS alike, with provider notes where the mechanics differ.
How to Use This List
Treat this as a pre-production gate, not a wish list.
Walk the groups in order. A cluster that fails group A should not receive traffic, no matter how good its autoscaling is.
Each item names the thing to do and why it matters. Where a provider does it differently, the note says so.
A - Draw the Responsibility Line
- Write down what the provider owns. All three run the API server, scheduler, controller manager, and etcd, and patch that control plane. Everything above the API is yours.
- Own your node upgrades explicitly. EKS managed node groups and AKS node pools do not follow the control plane automatically. Enable auto-upgrade channels or run a documented upgrade cadence.
- Assume no workload backup exists. No provider backs up your etcd objects in a form you can restore selectively, and none backs up your PersistentVolume data by default.
- Read the SLA before you promise one. AKS Free tier has no financially backed control-plane SLA. A control-plane SLA is not a workload SLA on any provider.
- Know your supported minors. Kubernetes 1.34 through 1.36 are supported; 1.33 is EOL. Falling off the supported window means no security patches and forced upgrades on the provider's schedule.
B - Identity and Access
- Never mount long-lived cloud credentials. Use EKS Pod Identity (or IRSA), GKE Workload Identity Federation, or AKS workload identity. A JSON key or access key in a Secret is a finding, not a design.
- Scope one identity per workload. A shared role across a namespace makes least privilege unenforceable and blast radius unbounded.
- Federate human access to your directory. Entra ID on AKS, IAM Identity Center on EKS, Google identities on GKE. Static kubeconfig certificates bypass MFA and never expire.
- Disable the local admin bypass. Turn off AKS local accounts once Entra works, and prefer EKS access entries over hand-edited
aws-authConfigMaps. - Keep cluster-admin out of CI. Give pipelines a scoped ServiceAccount per namespace. A GitOps controller with cluster-admin is a single credential away from total compromise.
C - Workload Security You Still Own
- Enforce Pod Security Standards restricted. Label namespaces with
pod-security.kubernetes.io/enforce: restricted. GKE Autopilot approximates this by default; EKS and AKS do not. - Run non-root, drop all capabilities. Set
runAsNonRoot: true,allowPrivilegeEscalation: false, andcapabilities.drop: ["ALL"]on every container. Add a read-only root filesystem where the app tolerates it. - Pin images by digest. Tags are mutable;
@sha256:...is not. Digest pinning is what makes a scan result mean something at runtime. - Scan and sign in CI. Trivy or Grype on every build, cosign signatures verified by an admission policy. An unscanned image in a private registry is still an unknown image.
- Add an admission policy engine. Kyverno, Gatekeeper, or Validating Admission Policy turns these rules into enforcement instead of a code-review convention.
D - Networking
- Default-deny every namespace. Managed clusters ship with flat pod-to-pod connectivity. Add a default-deny NetworkPolicy per namespace and open only what the app needs.
- Confirm your CNI enforces policy. NetworkPolicy objects are silently inert without an enforcing dataplane. Use GKE Dataplane V2, Azure CNI Powered by Cilium, or add Calico or Cilium on EKS.
- Plan pod IP space at creation. EKS VPC CNI burns real subnet IPs - enable prefix delegation early. GKE's pod range and AKS overlay CIDR are fixed at cluster creation.
- Prefer overlay where pod-IP routability is not required. Azure CNI overlay conserves VNet address space. Choose flat routable pod IPs only when something outside the cluster must dial a pod directly.
- Restrict the control-plane endpoint. Private clusters or authorized-network lists. A public API server endpoint open to the internet is an unnecessary attack surface.
E - Reliability and Cost
- Set requests and limits on everything. Requests drive scheduling and autoscaling; missing them makes the HPA and cluster autoscaler guess. On GKE Autopilot, requests are literally your bill.
- Add readiness and liveness probes. Without readiness, rolling updates route traffic to cold pods. Without liveness, wedged processes stay in the Service.
- Spread across zones and set PDBs.
topologySpreadConstraintsplus a PodDisruptionBudget is what makes provider auto-upgrades and node recycling survivable. - Use the right node autoscaler. Karpenter on EKS, node auto-provisioning on AKS, Autopilot or NAP on GKE. Fixed node groups sized for peak are the most common source of waste.
- Set maintenance windows. Auto-upgrades will happen. Constrain when, and make sure PDBs are correct before they do.
F - Backups and Recovery
- Back up cluster objects, not just volumes. Velero or a provider backup service captures namespace state. A GitOps repo covers desired state, but not runtime objects like generated Secrets.
- Back up PersistentVolume data separately. CSI snapshots are point-in-time and live in the same account as the cluster. Copy them cross-account or cross-region for real durability.
- Rehearse a restore. An untested backup is a hypothesis. Restore into a scratch namespace on a schedule and time it.
- Keep the cluster rebuildable from code. Terraform plus Helm or Argo CD should recreate the cluster without tribal knowledge. If it cannot, your backup story has a hole in it.
- Protect against your own account. Cross-account or cross-subscription backup copies are what survive a compromised or mistakenly deleted cloud account.
When You Are Done
You should be able to answer four questions without opening a console.
What does the provider patch, and what do you patch? Where does every workload's cloud credential come from, and how long does it live? What happens to traffic when a node pool auto-upgrades mid-afternoon? How long does a full restore take, and when did you last time it?
If any answer is a guess, that is the next item of work.
FAQs
Does managed Kubernetes mean the cloud secures my workloads? No. The provider secures the control plane and the infrastructure under it. Pod security, RBAC, network policy, image provenance, and data backups stay yours on all three.
Is GKE Autopilot enough to skip Pod Security Standards? Autopilot enforces most restricted-profile constraints for you, which is real. It does not cover NetworkPolicy, image provenance, or backups, so the rest of this list still applies.
Do I need NetworkPolicy if I have a service mesh? Usually yes. Mesh mTLS authorizes L7 identity for mesh-enrolled traffic; NetworkPolicy is the L3/L4 floor that catches everything outside it.
Should I run Docker on my nodes? No, and you cannot. Nodes run containerd via CRI on all three providers; dockershim was removed from Kubernetes. Docker is your build and Compose tool.
How do I keep node images patched? Enable the provider's node OS auto-upgrade or node image channel, and use a minimal image such as Bottlerocket on EKS. Nodes do not patch themselves without it.
Is GitOps a backup? Only for desired state. It will not restore generated Secrets, PVC data, or CRD-managed runtime objects, so pair it with Velero or a provider backup service.
Related
- What "Managed" Does and Doesn't Cover
- Managed K8s Basics
- Amazon EKS
- Google GKE
- Azure AKS
- Cloud Selection ADR
Stack versions: This page was written for Kubernetes 1.36.2, Docker Engine 29.6.1 (BuildKit default), containerd (CRI runtime on nodes), Helm 3, Compose v2, Argo CD (latest - verify at build), and Gateway API (GA - verify controller support at build).