What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2022-29179 — Cilium ClusterRole over-permissive on Pod and Node resources

HIGH7.6CVE-2022-29179GHSA-fmrf-gvjp-5j5g

CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Affected projects: cilium
Disclosed: May 16, 2022
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
cilium-agent	`<= 1.8, <= 1.9.15, <= 1.10.10, <= 1.11.4`

Patched versions

Project	Fixed in
cilium-agent	`>= 1.9.16, >= 1.10.11, >= 1.11.5`

References

Summary

If an attacker is able to perform a container escape of a container running as root on a host where Cilium is installed, the attacker can leverage Cilium's Kubernetes ServiceAccount to gain access to cluster privileges that are more permissive than what is minimally required to operate Cilium. In affected releases, this ServiceAccount had access to modify and delete Pod and Node resources.

Summary of attack chain

Attacker compromises a workload running as root on the node.
Attacker escapes the container — for example via a privileged or hostPath-mounted pod.
On the host, the attacker locates the cilium-agent ServiceAccount token mounted into the cilium-agent pod and uses it against the API server.
The over-permissive ClusterRole grants update and delete on pods and nodes, letting the attacker disrupt the cluster, evict workloads, or cordon / drain nodes.

Impact

Any compromise of a root container on a node where Cilium is installed escalates to cluster-wide impact on Pod and Node resources. The CVSS scope change (S:C) reflects this — the blast radius is the cluster, not the original pod. Clusters running affected Cilium versions are exposed regardless of their tenant model; the escalation depends only on container escape, not on Cilium-specific behaviour.

Detection

Audit the Kubernetes audit log for update and delete actions on pods or nodes issued by system:serviceaccount:kube-system:cilium (or whichever namespace / SA name your install uses). Anomalous activity from that ServiceAccount — particularly outside the cilium-agent's own pod lifecycle — is a strong signal.

Mitigation

Upgrade cilium-agent to one of the patched releases on the appropriate line:

Cilium 1.11.5 or later (for the 1.11 line)
Cilium 1.10.11 or later (for the 1.10 line)
Cilium 1.9.16 or later (for the 1.9 line)
The 1.8 line is affected and not separately patched — upgrade to a supported line.

There is no workaround. Pair the upgrade with the standard mitigations against container escape: enforce Pod Security Admission restricted, drop all Linux capabilities, run as a non-root UID, and avoid hostPath / privileged: true workloads.

Affected versions

Patched versions

References

Summary​

Summary of attack chain​

Impact​

Detection​

Mitigation​

References​

Summary

Summary of attack chain

Impact

Detection

Mitigation

References