What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2019-11253 — YAML/JSON parsing DoS in kube-apiserver

HIGH7.5CVE-2019-11253

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected projects: kubernetes
Disclosed: September 27, 2019
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
kubernetes	`v1.0.0-1.12.x`
kubernetes	`v1.13.0-1.13.11`
kubernetes	`v1.14.0-1.14.7`
kubernetes	`v1.15.0-1.15.4`
kubernetes	`v1.16.0-1.16.1`

Patched versions

Project	Fixed in
kubernetes	`v1.13.12`
kubernetes	`v1.14.8`
kubernetes	`v1.15.5`
kubernetes	`v1.16.2`

References

Summary

CVE-2019-11253 is a denial-of-service vulnerability in the kube-apiserver affecting Kubernetes v1.0.0 through v1.16.1. Authorized users — and, in clusters running versions prior to v1.14.0 or upgraded from such versions without a policy update, unauthenticated users — could send malicious YAML or JSON payloads containing recursive anchor references (a "Billion Laughs" style attack) to cause the kube-apiserver to consume excessive CPU or memory, potentially crashing it and rendering the cluster unavailable.

Impact

The kube-apiserver parses YAML and JSON from API requests without adequate resource limits on recursive anchor expansion. A malicious payload — for example, a ConfigMap containing deeply nested YAML anchors — causes exponential memory and CPU consumption during parsing. Prior to v1.14.0, the default RBAC policy authorized anonymous users to submit such requests, meaning the attack surface extended beyond authenticated principals. Clusters upgraded from a pre-v1.14.0 release retain the more permissive RBAC policy by default unless manually updated, even after the binary is patched.

Detection

Monitor kube-apiserver CPU and memory metrics for sudden unexplained spikes, particularly following the application of ConfigMap, Secret, or other YAML-heavy resource submissions. Review API server audit logs for requests originating from anonymous or unexpected principals targeting resource-creation endpoints. After applying the mitigation, check whether the system:basic-user ClusterRoleBinding retains the rbac.authorization.kubernetes.io/autoupdate=false annotation if your cluster was upgraded from a pre-v1.14.0 release, as this indicates the restrictive policy was intentionally pinned. Refer to the upstream issue for additional context.

Mitigation

Upgrade to the patched releases for your release branch: v1.13.12, v1.14.8, v1.15.5, or v1.16.2. All four patch releases were made available simultaneously.

Additionally, apply the more restrictive RBAC policy that removes anonymous access, which is required both as a pre-upgrade mitigation and as supplementary hardening for already-upgraded clusters that were originally running a version prior to v1.14.0:

kubectl auth reconcile -f rbac.yaml --remove-extra-subjects --remove-extra-permissions

Note: this command removes the ability for unauthenticated users to use kubectl auth can-i. If running a version prior to v1.14.0, also disable autoupdate on the affected ClusterRoleBinding to prevent the policy from being reverted on API server restart:

kubectl annotate --overwrite clusterrolebinding/system:basic-user rbac.authorization.kubernetes.io/autoupdate=false

After upgrading to v1.14.0 or later, the annotation can be removed to re-enable autoupdate:

kubectl annotate --overwrite clusterrolebinding/system:basic-user rbac.authorization.kubernetes.io/autoupdate=true

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References