What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2019-11250 — Bearer tokens exposed in kube-apiserver logs

MEDIUM6.5CVE-2019-11250

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected projects: kubernetes
Disclosed: August 8, 2019
Last updated: April 30, 2026

References

Summary

CVE-2019-11250 was identified during the 2019 Kubernetes Security Audit (report finding TOB-K8S-001). The kube-apiserver captures bearer tokens in system logs when the verbosity level is set to --v 10 or higher. Any user with read access to those high-verbosity logs can extract a captured token and replay it to impersonate the original authenticated user against the cluster without additional authentication.

Impact

Bearer tokens are opaque credentials that grant the full privileges of the user they were issued to. If the kube-apiserver is configured to log at verbosity level 10, bearer tokens appear in plaintext in system logs. An attacker who gains read access to those logs — for example, a user with access to the logging infrastructure but not to the production cluster — can replay any captured token and masquerade as the original bearer. The scope of the resulting access is bounded only by the privileges of the impersonated user.

Detection

Check the kube-apiserver startup arguments for a high verbosity flag:

ps aux | grep kube-apiserver | grep -- '--v'

A value of --v=10 or higher indicates that verbose logging — including bearer tokens — is active. Review who has read access to the kube-apiserver system logs (for example, via log aggregation systems, node access, or cloud provider logging services) to assess the exposure window. Audit log entries for the affected period should be treated as potentially compromised if any high-verbosity logging was active and logs were accessible to non-administrative principals.

Mitigation

The upstream advisory did not publish explicit patched version information at the time of writing. The recommended remediation is operational: reduce the kube-apiserver verbosity level to below 10 (the default is --v=2) so that authentication credentials are not captured in logs. Restrict read access to system logs to trusted administrative principals only.

For long-term hardening, implement log filtering or review policies to prevent sensitive authentication material from appearing in any log output, regardless of verbosity setting. Rotate any bearer tokens that may have been captured in high-verbosity logs and revoke the associated sessions.

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References