What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2022-39388 — Istio Identity Impersonation via Localhost Istiod Access

HIGH7.6CVE-2022-39388GHSA-6c6p-h79f-g6p4

CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected projects: istio
Disclosed: November 9, 2022
Last updated: April 28, 2026

Affected versions

Project	Vulnerable range
Istio	`1.15.2`

Patched versions

Project	Fixed in
Istio	`1.15.3`

References

Summary

In Istio 1.15.2, a user who has localhost access to the Istiod control plane can impersonate any workload identity within the service mesh. This allows an attacker with such access to act as any service in the mesh, bypassing mTLS-based identity enforcement.

Impact

Exploitation requires the attacker to have local access to the node or pod where Istiod is running. With that access, the attacker can impersonate any workload identity in the mesh, which may allow them to intercept traffic intended for other services, bypass service-to-service authorization policies, or extract secrets distributed via the mesh. The CVSS score of 7.6 reflects the adjacent-network attack vector (local access required) and the high confidentiality impact.

Detection

Audit access controls for nodes hosting Istiod and review who has the ability to exec into or gain shell access on those nodes. Check Istiod audit logs and API server audit logs for unexpected certificate signing requests or identity-related API calls. If running Istio 1.15.2, treat any principal with local node access as a potential impersonation risk until upgraded.

Mitigation

Upgrade to Istio 1.15.3 or later. If using 1.15.2, upgrade immediately. There is no effective workaround; restrict access to nodes hosting Istiod as a defense-in-depth measure while planning the upgrade.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References