What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2017-1002101 — subPath volume mount escape to host filesystem

HIGH8.8CVE-2017-1002101

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: March 5, 2018
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
kubernetes	`1.3.x-1.6.x`
kubernetes	`1.7.0-1.7.13`
kubernetes	`1.8.0-1.8.8`
kubernetes	`1.9.0-1.9.3`

Patched versions

Project	Fixed in
kubernetes	`v1.7.14`
kubernetes	`v1.8.9`
kubernetes	`v1.9.4`

References

Summary

CVE-2017-1002101 is a container escape vulnerability in Kubernetes subPath volume mount handling affecting versions 1.3.x through 1.9.3. A specially crafted pod spec combined with malicious container behavior — specifically, replacing the subPath target with a symlink — allows read and write access to arbitrary files and directories outside the intended volume, including the host filesystem. The vulnerability applies to all volume types including emptyDir and does not require a privileged pod, subject to file permissions on the target path.

Impact

Containers using subPath volume mounts can use symlink traversal to escape the volume boundary and access files on the host filesystem outside the specified volume. This applies to any volume type, including emptyDir volumes, meaning the attack does not require hostPath volumes or a privileged security context. Non-privileged pods can exploit this vulnerability subject to the file permission of the targeted host path. In clusters that allow untrusted users to control pod spec content and that rely on PodSecurityPolicy to prevent host filesystem access via hostPath volumes, this vulnerability circumvents that control.

Detection

The upstream advisory identifies two at-risk cluster configurations: clusters that allow untrusted users to control pod spec content and rely on PodSecurityPolicy to prevent hostPath-based host filesystem access, and clusters that make use of subPath volume mounts with untrusted containers or containers that may be compromised. Audit cluster workloads for both conditions — specifically, review pod specs for the presence of subPath in volume mount definitions combined with volume sources (including emptyDir) that are writable by the container. Note that PodSecurityPolicy's allowedHostPaths feature does not restrict symlink creation and traversal and therefore does not indicate that subPath-based traversal is prevented. Refer to the upstream issue for additional context.

Mitigation

Upgrade to the patched release for your release branch: v1.7.14, v1.8.9, or v1.9.4. Kubernetes versions 1.3.x through 1.6.x have no patch available within those branches and must upgrade to a patched minor release.

As a pre-upgrade mitigation, prevent untrusted users from creating pods and pod-creating objects such as Deployments and ReplicaSets. Alternatively, disable all volume types via PodSecurityPolicy — note that disabling all volume types also prevents the use of service account tokens in pods and requires setting automountServiceAccountToken: false on affected service accounts.

After upgrading, PodSecurityPolicy objects that rely on allowedHostPaths to restrict hostPath access must be updated to completely disable hostPath volumes, as the allowedHostPaths feature does not prevent symlink-based traversal beyond the declared path prefix. Future Kubernetes enhancements (tracked in the upstream issue) were required to make PodSecurityPolicy effectively restrict hostPath usage.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References