Question 1

What is Kubernetes security?

Accepted Answer

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

Question 2

What is the CKS certification?

Accepted Answer

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

Question 3

What are Kubernetes network policies?

Accepted Answer

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

Question 4

What are Pod Security Standards?

Accepted Answer

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

Question 5

What is RBAC in Kubernetes?

Accepted Answer

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

Question 6

How do I secure etcd in Kubernetes?

Accepted Answer

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

Question 7

What is a container escape attack?

Accepted Answer

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

Question 8

What tools are used for Kubernetes security scanning?

Accepted Answer

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

#	CVE	Severity	Projects	Disclosed	Published	Summary
1	CVE-2026-49445	CRITICAL9.2	cilium	Jun 1, 2026	Jun 8, 2026	Sensitive information disclosure and cluster disruption via local Envoy admin socket access
2	CVE-2026-41520	HIGH7.9	cilium	Apr 22, 2026	Apr 27, 2026	Sensitive information included in cilium-bugtool debug archive
3	CVE-2026-41485	HIGH7.7	kyverno	Apr 22, 2026	Apr 27, 2026	Kyverno Controller Denial of Service via forEach Mutation Panic
4	GHSA-8wfp-579w-6r25	HIGH7.7	kyverno	Apr 15, 2026	Apr 28, 2026	Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)
5	CVE-2026-41323	HIGH8.1	kyverno	Apr 15, 2026	Apr 27, 2026	ServiceAccount token leaked to external servers via apiCall service URL
6	CVE-2026-41068	HIGH7.7	kyverno	Apr 15, 2026	Apr 27, 2026	Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)
7	CVE-2026-40868	HIGH8.1	kyverno	Apr 13, 2026	Apr 27, 2026	kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token
8	CVE-2026-4789	HIGH8.5	kyverno	Apr 13, 2026	Apr 27, 2026	SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access
9	GHSA-fmqp-4wfc-w3v7	HIGH7.7	kyverno	Apr 13, 2026	Apr 28, 2026	Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach
10	GHSA-qr4g-8hrp-c4rw	HIGH7.7	kyverno	Apr 13, 2026	Apr 28, 2026	Unrestricted outbound requests in Kyverno apiCall enable non-blind SSRF