10 Common Azure Kubernetes Mistakes
1. Forgetting resource quotas and limits
Without resource quotas and limits on pods and namespaces, a single application can consume all cluster resources, leaving the rest of the cluster struggling. That can lead to performance degradation, unstable applications and potential outages for other workloads.
What to do instead:
- Define CPU and memory requests and limits at the pod level.
- Use ResourceQuotas at the namespace level to ensure fair resource distribution across teams, environments, and applications.
- Use LimitRanges to set default, minimum and maximum CPU and memory values for containers in each namespace.
2. Using the default node pool for every workload
While running every workload on the default node pool may feel simple, it limits your ability to isolate and optimise applications. Different workloads often require different VM sizes, scaling behaviour, and availability settings. When run together, a resource-heavy workload can affect applications that should have been protected.
What to do instead:
- Create separate node pools for system components, production apps and batch jobs.
- Use the right VM SKUs for each workload, and apply taints, tolerations and affinities to keep workloads on the right nodes.
3. Running clusters without monitoring and diagnostics
Without monitoring, you’re flying blind. If Container Insights and diagnostic settings aren’t enabled, you lose visibility into cluster health, performance bottlenecks and security events. That makes troubleshooting slower and increases mean time to resolution.
What to do instead:
- Enable Container Insights and configure diagnostic settings to send logs to a Log Analytics workspace.
- Track node health, pod restarts, resource usage, errors and cluster events from day one.
4. Storing secrets in plain text or ConfigMaps
Sensitive data should not be stored in ConfigMaps or plain environment variables. If credentials, tokens or connection strings are stored this way, anyone with read access to the cluster may be able to see them, creating security and compliance problems.
What to do instead:
- Prefer Azure Key Vault + Secrets Store CSI Driver for production secrets.
- Use Workload Identity or managed identity to access Key Vault.
- Use Kubernetes Secrets only when needed, with encryption at rest and strict RBAC.
5. Exposing the API server
Exposing the Kubernetes API server publicly without IP whitelisting creates unnecessary attack surface for unauthorised access attempts. Even with authentication in place, broad public access increases risk.
What to do instead:
- Prefer private cluster design when feasible.
- Configure authorised IP ranges when a public API endpoint remains necessary.
6. Leaving network policies incomplete
If network policies are missing or too open, pods may be able to communicate freely with the rest of the cluster, creating risk. If one pod is compromised, unrestricted pod-to-pod communication can help the issue spread across your environment like a virus.
What to do instead:
- Use Kubernetes Network Policies to restrict unnecessary ingress and egress between pods.
- Prefer Azure CNI Powered by Cilium for new AKS builds where it fits.
- Apply zero-trust networking and micro segmentation so workloads communicate only when needed.
7. Disabling Azure Policy and Pod Security Standards
Azure Policy for Kubernetes and Pod Security Admission help prevent privileged containers, enforce security contexts and keep workloads aligned with compliance requirements.
Without them, insecure or non-compliant configurations can reach your AKS cluster more easily. That makes it harder to maintain a consistent security posture as more workloads, teams and environments are added.
What to do instead:
- Use Azure Policy add-on for centralised governance, audit/deny effects, and enterprise compliance.
- Use Pod Security Admission with namespace labels for Pod Security Standards.
Use these controls to block risky configurations before they reach the cluster.
8. Using latest or mutable image tags in production
Using latest or other mutable image tags in production makes deployments unpredictable. The tag may point to a different image later, even when the deployment file has not changed. That can break deployments, introduce vulnerabilities and make rollbacks harder.
What to do instead:
- Use specific immutable image tags or digest references.
- Make sure every production deployment points to a known, tested and reproducible image version.
9. Using single-zone deployments for production workloads
Single-zone AKS deployments can create a single point of failure, possibly causing complete outages during zone failures.
What to do instead:
- Use availability zones for production workloads.
- Distribute nodes across multiple zones and use pod topology spread constraints to prevent replicas from being concentrated in a single place.
- Use zone-aware storage choices.
10. Ignoring Pod Disruption Budgets (PDB) for critical applications
Without Pod Disruption Budgets (PDB), cluster maintenance or scaling events can remove too many pod replicas at once. That can cause avoidable service outages during upgrades, node drains or planned maintenance.
What to do instead:
- Define Pod Disruption Budgets for critical applications. Use them to maintain minimum availability during upgrades, scaling operations and planned maintenance.