What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2021-43816 — containerd CRI hostPath bypasses SELinux on Linux

HIGHCVE-2021-43816GHSA-mvff-h3cj-wj9c

Affected projects: containerd
Disclosed: January 5, 2022
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/containerd/containerd	`>= 1.5.0, < 1.5.9`

Patched versions

Project	Fixed in
github.com/containerd/containerd	`1.5.9`

References

Summary

Containers launched through containerd's CRI implementation on Linux systems that use the SELinux security module — and containerd versions since v1.5.0 — can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories. Kubernetes and crictl can both be configured to use containerd's CRI implementation.

If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not affected by this issue.

Impact

On SELinux-enforcing nodes, an unprivileged pod with permission to mount a hostPath volume can pick any file on the host (including SELinux-protected paths normally outside the container's reach) and have it relabeled to the container's process label. From that point on, the container has full read/write access to the relabeled file or directory. The labels persist after the pod exits, so a single attacker pod can leave the node permanently weakened from an SELinux perspective.

Detection

Audit Pod specs across the cluster for hostPath volumes — especially those mounting paths under /etc, /var, /usr, or other SELinux-protected directories. On affected nodes, a post-incident review of restorecon -nv / or equivalent label audits will identify files whose labels no longer match the policy default. Treat any hostPath mount on a containerd CRI cluster running 1.5.0–1.5.8 as untrusted until confirmed.

Mitigation

Upgrade containerd to 1.5.9 or later.

Workarounds:

Ensure that no sensitive files or directories are used as a hostPath volume source.
Apply admission policy (Pod Security Admission restricted, Kyverno, or OPA Gatekeeper) to forbid hostPath volumes outside an allow-list.
After patching, validate that all files on the host are correctly labeled — file labels persist independently of containerd, so the relabeling damage from a successful exploit must be repaired manually (restorecon).

The analyzer below flags hostPath volumes in any uploaded manifest — useful when reviewing existing workloads against this class of issue.

Open the full YAML Analyzer →

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References