Observability-Driven Security: Hardening Kubernetes Deployments with TELEMETRY

By Òscar Garcia Perales and Rafael Vidal Vila, i4RI

A unified approach to secure deployment is becoming essential as digital transformation accelerates and cloud-native technologies become the standard across research, industry, and public services. The shift toward containerization and Kubernetes orchestration has enabled unprecedented agility and scalability, yet it has also introduced new layers of security complexity.

For projects like TELEMETRY, where the protection of sensitive data and the reliability of distributed applications are paramount, developing robust methodologies for secure deployment goes hand in hand with innovation in monitoring, observability, and trustworthy data flows.

The Evolving Landscape of Deployment Security

Traditionally, deployment security revolved on bare metal servers or virtual machines, relying on perimeter-based defences and manual configuration checks. However, the rapid adoption of containers has transformed this landscape. Recent research shows that container images contain an average of 460 vulnerabilities, with significant portions classified as high severity (CVSS score ≥7.0). Furthermore, studies indicate that new Kubernetes clusters face their first attack attempt within 18-28 minutes of creation, highlighting the immediate security challenges in cloud-native environments[1],[2].

By design, containers are ephemeral and stateless, created and destroyed dynamically within clusters. Kubernetes adds another abstraction layer by automating scaling, policy management, and failure recovery. While this dynamism enhances flexibility, it also broadens the attack surface, with vulnerabilities potentially hidden within container images, access control configurations, or the orchestration layer itself. Academic analysis of over 200 container-related vulnerabilities has identified 47 distinct exploit types across 11 attack vectors, emphasizing the complexity of the threat landscape [3],[4].

In this new paradigm, security must evolve from static hardening to dynamic, continuous assurance.

Harnessing Observability for Proactive Defence

Modern observability platforms, many shaped by the OpenTelemetry[5] standard,  are redefining how security and performance are monitored in real time. Industry research indicates that 48,5% of organizations are already using OpenTelemetry, with 46,4% reporting greater than 20% ROI from implementation[6]. OpenTelemetry, a widely adopted open-source standard, provides a unified framework for collecting, processing, and exporting telemetry data such as traces, metrics, and logs across diverse systems. By standardizing observability signals, it enables consistent visibility and faster detection of performance or security anomalies across distributed environments. Deployment best practices now emphasize security by design, where telemetry and monitoring are integrated from the earliest stages of development through the entire application lifecycle.

Implementing runtime observability within Kubernetes[7] clusters provides more than health and performance insights: it reveals anomalous behaviours, suspicious container restarts, unauthorized network transit, and policy violations as they happen. This enables a shift from reactive response to proactive defence, where threats can be detected and mitigated before they escalate. Research demonstrates that organizations implementing continuous verification mechanisms detect security incidents 4.3 times faster than those with periodic assessment approaches[8].

Embedding Security into Kubernetes and Containerisation Workflows

TELEMETRY’s secure deployment framework reflects emerging best practices for protecting applications and services within Kubernetes environments, informed by established security frameworks including NIST SP 800-190 Application Container Security Guide and the CNCF 4C Security Model [9], [10], [11]. The approach begins with secure communications using TLS, which enables encrypted communications between the Internet and any service running within Kubernetes, whether it has native TLS capability or not. Role-based access controls (RBAC) then strictly limit privileges to the minimum necessary for each service or user, following the principle of least privilege that security experts consistently recommend. Studies show that organizations implementing properly configured RBAC reduced security incidents by 64% compared to environments without structured access controls[12]. Network policies complement these measures by confining communication between pods, effectively reducing unnecessary exposure and preventing lateral movement across the cluster. Meanwhile, specialized secrets management tools safeguard credentials and sensitive configuration data, ensuring they remain outside of version control systems and insecure storage locations. Finally, integrated observability and alerting systems deliver continuous visibility into both application behaviour and infrastructure state, creating a comprehensive monitoring ecosystem that supports both operational efficiency and security posture.

This layered approach, supported by automation and “shift-left” security culture, builds a deployment pipeline that is both agile and resilient against evolving cyber threats. Industry best practices emphasize that security feature adoption has significant room for improvement, with 81% of EKS clusters still relying on deprecated authentication methods against AWS security best practices[13].

From Principles to Practice: TELEMETRY’s Secure Deployment Platform
These principles are actively implemented in TELEMETRY through the development of a Secure Deployment Platform: a lightweight, production-grade environment that combines K3s[14], Docker[15], Helm[16], and a service mesh to deliver robust, scalable, and secure application orchestration.

Built on top of K3s, a streamlined version of Kubernetes, the platform ensures encryption by default (TLS), fine-grained RBAC controls, and reduced attack surfaces, making it suitable for both cloud and edge deployments. Docker provides consistent container packaging, while Helm charts enable version-controlled, repeatable deployments with rollback capabilities. Research on container security emphasizes the importance of minimizing attack surfaces, with findings showing that each additional package in a container image introduces an average of 1.7 vulnerabilities[17].

To reinforce internal security, the integrated service mesh provides automatic mutual TLS (mTLS) for service-to-service communication, alongside traffic control, observability, and policy enforcement by implementing a zero-trust architecture across the deployment. Zero Trust implementation in enterprise Kubernetes environments has been shown to reduce successful attacks significantly while improving incident detection capabilities[18],[19]. Complementary tools like Rancher[20] simplify K3s management, and NGINX[21] serves as a secure ingress controller, handling encrypted web traffic, load balancing, and access control.

Together, these components form a unified, security-first deployment environment that advances TELEMETRY’s mission: to bring trustworthy, observable, and resilient cloud-native practices to research and innovation infrastructures.

TELEMETRY: Enabling Secure, Trustworthy Deployments

In TELEMETRY, containerization and Kubernetes are not just tools for scalability and replicability, they are foundations for secure, distributed, real-time telemetry. By embedding security measures into every phase, from image build and deployment to runtime monitoring and decommissioning, the project aims to set a new standard for trustworthiness in the deployment of research and analytics applications.

The future of secure deployment lies in this convergence of automation, observability, and proactive security, turning every component into both a contributor to and a guardian of organizational resilience. Current trends indicate that 54% of Kubernetes clusters now run on supported versions, reflecting growing focus on maintaining up-to-date and secure environments[22].

In this sense, secure deployment is not merely an operational concern but a core pillar for building trusted, intelligent monitoring infrastructures in an increasingly interconnected world.

*Òscar Garcia Perales, Computer Engineer. Co-owner and Operations Director of i4RI. Head of Analytics group.

Rafael Vidal Vila, Computer Engineer. Working as DevOps at i4RI since 2023

[1] https://www.wiz.io/reports/kubernetes-security-report-2025

[2] https://pmc.ncbi.nlm.nih.gov/articles/PMC8173661/

[3] https://pmc.ncbi.nlm.nih.gov/articles/PMC8173661/

[4] https://dl.acm.org/doi/10.1145/3715001

[5] https://opentelemetry.io/

[6] https://www.apica.io/blog/opentelemetry-the-foundation-of-modern-observability-strategy/

[7] https://kubernetes.io/

[8] https://eajournals.org/wp-content/uploads/sites/21/2025/06/Best-Practices-1.pdf

[9] https://anchore.com/compliance/nist/800-190/

[10] https://www.armosec.io/wp-content/uploads/2023/04/Kubernetes-Security-Best-Practices_A-Definitive-Guide_ARMO-1.pdf

[11] https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-190.pdf

[12] https://eajournals.org/wp-content/uploads/sites/21/2025/06/Best-Practices-1.pdf

[13] https://www.wiz.io/reports/kubernetes-security-report-2025

[14] https://k3s.io/

[15] https://www.docker.com/

[16] https://helm.sh/

[17] https://pmc.ncbi.nlm.nih.gov/articles/PMC8173661/

[18] https://www.strongdm.com/blog/kubernetes-security-best-practices

[19] https://eajournals.org/wp-content/uploads/sites/21/2025/06/Best-Practices-1.pdf

[20] https://www.rancher.com/

[21] https://www.f5.com/go/product/welcome-to-nginx

[22] https://www.wiz.io/reports/kubernetes-security-report-2025

European Cyber Security Community Initiative (ECSCI)

The European Cyber Security Community Initiative (ECSCI) brings together EU-funded cybersecurity research and innovation projects to foster cross-sector collaboration and knowledge exchange. Its aim is to align technical and policy efforts across key areas such as AI, IoT, 5G, and cloud security. ECSCI organizes joint dissemination activities, public workshops, and strategic dialogue to amplify the impact of individual projects and build a more integrated European cybersecurity landscape.

Supported by the European Commission, ECSCI contributes to shaping a shared vision for cybersecurity in Europe by reinforcing connections between research, industry, and public stakeholders.

Visit the website

European Cluster for Cybersecurity Certification

The European Cluster for Cybersecurity Certification is a collaborative initiative aimed at supporting the development and adoption of a unified cybersecurity certification framework across the European Union. Bringing together key stakeholders from industry, research, and national authorities, the cluster facilitates coordination, knowledge exchange, and alignment with the EU Cybersecurity Act.

Its mission is to contribute to a harmonized approach to certification that fosters trust, transparency, and cross-border acceptance of cybersecurity solutions. The cluster also works to build a strong stakeholder community that can inform and support the work of the European Union Agency for Cybersecurity (ENISA) and the future European cybersecurity certification schemes.

Visit the website

CertifAI

CertifAI is an EU-funded project aimed at enabling organizations to achieve and maintain compliance with key cybersecurity standards and regulations, such as IEC 62443 and the EU Cyber Resilience Act (CRA), across the entire product development lifecycle. Rather than treating compliance as a one-time activity or post-development task, CertifAI integrates compliance checks and evidence collection as continuous, embedded practices within daily development and operational workflows.

The CertifAI framework provides structured, practical guidance for planning, executing, and monitoring compliance assessments. It supports organizations in conducting gap analyses, building compliance roadmaps, collecting evidence, and preparing for formal certification. The methodology leverages best practices from established cybersecurity frameworks and aligns with Agile and DevSecOps principles, enabling continuous and iterative compliance checks as products evolve.

A central feature of CertifAI is the use of automation and AI-driven tools—such as Retrieval-Augmented Generation (RAG) systems and Explainable AI—to support the interpretation of complex requirements, detect non-conformities, and generate Security Assurance Cases (SAC) with traceable evidence. The approach is organized into five main phases: preparation and planning, evidence collection and mapping, assessment execution, reporting, and ongoing compliance monitoring.

CertifAI’s methodology is designed to be rigorous yet adaptable, offering organizations a repeatable process to proactively identify, address, and document compliance gaps. This supports organizations not only in meeting certification requirements, but also in embedding a culture of security and compliance into daily practice.

Ultimately, CertifAI’s goal is to make compliance and security assurance continuous, transparent, and integrated, helping organizations efficiently prepare for certification while strengthening their overall cybersecurity posture.

Visit the website

DOSS

The Horizon Europe DOSS – Design and Operation of Secure Supply Chain – project aims to improve the security and reliability of IoT operations by introducing an integrated monitoring and validation framework to IoT Supply Chains.

DOSS elaborates a “Supply Trust Chain” by integrating key stages of the IoT supply chain into a digital communication loop to facilitate security-related information exchange. The technology includes security verification of all hardware and software components of the modelled architecture. A new “Device Security Passport” contains security-relevant information for hardware devices and their components. 3rd party software, open-source applications, as well as in-house developments are tested and assessed. The centrepiece of the proposed solution is a flexibly configurable Digital Cybersecurity Twin, able to simulate diverse IoT architectures. It employs AI for modelling complex attack scenarios, discovering attack surfaces, and elaborating the necessary protective measures. The digital twin provides input for a configurable, automated Architecture Security Validator module which assesses and provides pre-certification for the modelled IoT architecture with respect of relevant, selectable security standards and KPIs. To also ensure adequate coverage for the back end of the supply chain the operation of the architecture is also be protected by secure device onboarding, diverse security and monitoring technologies and a feedback loop to the digital twin and actors of the supply chain, sharing security-relevant information.

The procedures and technology will be validated in three IoT domains: automotive, energy and smart home.

The 12-member strong DOSS consortium comprises all stakeholders of the IoT ecosystem: service operators, OEMs, technology providers, developers, security experts, as well as research and academic partners.

Visit the website

EMERALD: Evidence Management for Continuous Compliance as a Service in the Cloud

The EMERALD project aims to revolutionize the certification of cloud-based services in Europe by addressing key challenges such as market fragmentation, lack of cloud-specific certifications, and the increasing complexity introduced by AI technologies. At the heart of EMERALD lies the concept of Compliance-as-a-Service (CaaS) — an agile and scalable approach aimed at enabling continuous certification processes in alignment with harmonized European cybersecurity schemes, such as the EU Cybersecurity Certification Scheme for Cloud Services (EUCS).

By focusing on evidence management and leveraging results from the H2020 MEDINA project, EMERALD will build on existing technological readiness (starting at TRL 5) and push forward to TRL 7. The project’s core innovation is the development of tools that enable lean re-certification, helping service providers, customers, and auditors to maintain compliance across dynamic and heterogeneous environments —including Cloud, Edge, and IoT infrastructures.

EMERALD directly addresses the critical gap in achieving the ‘high’ assurance level of EUCS by offering a technical pathway based on automation, traceability, and interoperability. This is especially relevant in light of the emerging need for continuous and AI-integrated certification processes, as AI becomes increasingly embedded in cloud services.

The project also fosters strategic alignment with European initiatives on digital sovereignty, supporting transparency and trust in digital services. By doing so, EMERALD promotes the adoption of secure cloud services across both large enterprises and SMEs, ensuring that security certification becomes a practical enabler rather than a barrier.

Ultimately, EMERALD’s vision is to provide a robust, flexible, and forward-looking certification ecosystem, paving the way for more resilient, trustworthy, and user-centric digital infrastructures in Europe.

Visit the website

SEC4AI4SEC

Sec4AI4Sec is a project funded by the European Union’s Horizon Europe research and innovation programme under grant agreement No 101120393.

This project aims to create a range of cutting-edge technologies, open-source tools, and new methodologies for designing and certifying secure AI-enhanced systems and AI-enhanced systems for security. Additionally, it will provide reference benchmarks that can be utilized to standardize the evaluation of research outcomes within the secure software research community.

The project is divided into two main phases, each with its own name.

·       AI4Sec – stands for using artificial intelligence in security. Democratize security expertise with an AI-enhanced system that reduces development costs and improves software quality. This part of the project improves via AIs the secure coding and testing.

·       Sec4AI –  involves AI-enhanced systems. These systems also have risks that make them vulnerable to new security threats unique to AI-based software, especially when fairness and explainability are essential.

The project considers the economic and technological impacts of combining AI and security.

The economic phase of the project focuses on leveraging AI to drive growth, productivity, and competitiveness across industries. It includes developing new business models, identifying new market opportunities, and driving innovation across various sectors. 

Visit the website