What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2023-3893 — kubernetes-csi-proxy insufficient input sanitization leads to privilege escalation

HIGH8.8CVE-2023-3893

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: July 26, 2023
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
kubernetes-csi-proxy	`<= v2.0.0-alpha.0`
kubernetes-csi-proxy	`<= v1.1.2`

Patched versions

Project	Fixed in
kubernetes-csi-proxy	`v2.0.0-alpha.1`
kubernetes-csi-proxy	`v1.1.3`

References

Summary

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes running kubernetes-csi-proxy may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes running kubernetes-csi-proxy, which is a common default configuration on Windows nodes. Run kubectl get nodes -l kubernetes.io/os=windows to determine whether any Windows nodes are present in your cluster. The vulnerability is part of a class of issues requiring patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893 for full mitigation.

Impact

Any user with permission to create pods on Windows nodes that run kubernetes-csi-proxy can exploit insufficient input sanitization in the proxy to achieve admin-level privileges on those nodes. Because kubernetes-csi-proxy is commonly deployed as a default component on Windows nodes, a significant number of Windows-based Kubernetes deployments are affected. The high CVSS score (8.8) reflects network-accessible attack vector, low privileges required, and full confidentiality, integrity, and availability impact on affected nodes.

Detection

Kubernetes audit logs can be used to detect if this vulnerability is being exploited. Pod create events with embedded PowerShell commands are a strong indication of exploitation. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.

Mitigation

Upgrade kubernetes-csi-proxy to a patched version on all affected Windows nodes:

v2.0.0-alpha.1 or later (for the v2 alpha branch)
v1.1.3 or later (for the v1 stable branch)

To upgrade: cordon the node, stop the associated Windows service, replace the csi-proxy.exe binary, restart the service, and un-cordon the node. See the kubernetes-csi-proxy installation documentation for details.

If kubernetes-csi-proxy is deployed as a Windows host process DaemonSet (for example, using a manifest similar to the one in csi-driver-smb), upgrade the image to a fixed version such as ghcr.io/kubernetes-sigs/sig-windows/csi-proxy:v1.1.3.

There are no known mitigations outside of applying the provided patches. Full mitigation for this class of issues requires applying patches for CVE-2023-3676, CVE-2023-3955, and CVE-2023-3893.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References