What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2018-1002105 — kube-apiserver connection hijacking to backends

CRITICAL9.8CVE-2018-1002105

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: November 26, 2018
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
kubernetes	`v1.0.x-1.9.x`
kubernetes	`v1.10.0-1.10.10`
kubernetes	`v1.11.0-1.11.4`
kubernetes	`v1.12.0-1.12.2`

Patched versions

Project	Fixed in
kubernetes	`v1.10.11`
kubernetes	`v1.11.5`
kubernetes	`v1.12.3`
kubernetes	`v1.13.0-rc.1`

References

Summary

CVE-2018-1002105 is a critical privilege escalation vulnerability in the Kubernetes kube-apiserver affecting all releases from v1.0.x through v1.12.2. With a specially crafted request, a user authorized to establish a connection through the kube-apiserver to a backend server can send arbitrary requests over the same connection directly to that backend, authenticated with the kube-apiserver's own TLS credentials. The default RBAC discovery policy allowed all users — including unauthenticated users — to trigger this escalation against any aggregated API server configured in the cluster.

Impact

Two distinct attack paths exist. First, any API call to an aggregated API server endpoint can be escalated to perform any request against that backend server using the kube-apiserver's TLS credentials, as long as the aggregated API server is reachable from the kube-apiserver's network. The default RBAC policy exposes this to all users, authenticated and unauthenticated alike. Second, pod exec, attach, and portforward permissions can be escalated to perform arbitrary requests against the kubelet API on the node specified in the pod spec, enabling attackers to list all pods on the node, execute commands inside any pod, and retrieve command output. Pod exec/attach/portforward permissions are granted to the default admin and edit RBAC roles.

Detection

Determine whether your cluster has aggregated API servers configured, which is the primary prerequisite for the first attack path:

kubectl get apiservices \
  -o 'jsonpath={range .items[?(@.spec.service.name!="")]}{.metadata.name}{"\n"}{end}'

If no names are returned, or if the kube-apiserver is an older version that does not expose the apiservices API, the cluster has no aggregated API servers configured and is only exposed via the pod exec/attach/portforward path. Review API server audit logs for unexpected cross-backend requests or anomalous kubelet API calls following exec or attach operations.

Mitigation

Upgrade to the patched release for your release branch: v1.10.11, v1.11.5, v1.12.3, or v1.13.0-rc.1.

If an immediate upgrade is not possible, restrict RBAC permissions to limit who can perform discovery API calls and pod exec/attach/portforward operations to only principals that require full kubelet or backend API access. Specifically, review whether the default RBAC roles grant exec/attach/portforward to users who should not have full node-level access, and tighten accordingly.

Note: clusters running v1.0.x through v1.9.x have no patch available within those release branches and must upgrade to a patched minor release. Distributors may provide backport patches for older releases; contact your distribution vendor for guidance.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References