What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2022-4886 — ingress-nginx path sanitization bypass enables credential theft

HIGH8.8CVE-2022-4886

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: October 25, 2023
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
ingress-nginx-controller	`< v1.8.0`

Patched versions

Project	Fixed in
ingress-nginx-controller	`v1.8.0`

References

Summary

A security issue was discovered in ingress-nginx where a user that can create or update Ingress objects can use directives to bypass the sanitization of the spec.rules[].http.paths[].path field of an Ingress object (in the networking.k8s.io or extensions API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster. Multi-tenant environments where non-admin users have permissions to create Ingress objects are most affected.

Impact

By crafting a malicious path value, an attacker with Ingress create or update permissions can inject nginx directives through the spec.rules[].http.paths[].path field and gain access to the ingress-nginx controller's service account token. Because that token has cluster-wide secret read access by default, the attacker can escalate to reading all secrets in the cluster, including credentials for other workloads. Clusters that do not have ingress-nginx installed are not affected. If the chrooted controller image (introduced in v1.2.0) is in use, credential extraction is not possible, so the severity is lower.

Detection

Review all Ingress objects in the cluster for paths containing unexpected characters or directive sequences. Kubernetes audit logs should be examined for Ingress create and update events from users with limited privileges. The ingress-nginx controller logs may show unusual nginx configuration generation errors that could indicate attempted exploitation. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.

Mitigation

Upgrade ingress-nginx to v1.8.0 or later.

As a configuration-level mitigation without upgrading, Ingress administrators should enable strict path type validation. When pathType is set to Exact or Prefix, ingress-nginx enforces strict validation allowing only paths starting with / and containing only alphanumeric characters and -, _, and additional /. This validation is enforced in the Admission Webhook, denying creation of any Ingress containing invalid characters unless pathType is ImplementationSpecific. See the ingress-nginx strict-validate-path-type documentation for configuration details. For environments that require ImplementationSpecific paths, restrict access to creating Ingress objects to trusted users only — for example, using OPA as described in the ingress-nginx OPA example.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References