What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2023-47630 — Kyverno user can be tricked into consuming insecure image digest

HIGH7.1CVE-2023-47630GHSA-3hfq-cx9j-923w

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected projects: kyverno
Disclosed: November 13, 2023
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`< 1.10.5`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.10.5, 1.11.0`

References

Summary

An issue was found in Kyverno that allowed an attacker to control the digest of images used by Kyverno users. The issue requires the attacker to compromise the registry that Kyverno fetches images from. The attacker could then return a vulnerable image to the user and leverage that to further escalate their position. The attacker would need to know which images the Kyverno user consumes and know of one of multiple exploitable vulnerabilities in previous digests of those images, or — if the registry is fully compromised — craft a malicious image with a different digest with intentionally placed vulnerabilities and deliver it.

An attacker was not able to control parameters of the image other than the digest. Users pulling images from trusted registries are not impacted. There is no evidence of exploitation in the wild.

Impact

The bug is in Kyverno's image digest handling — distinct from CVE-2023-46737, which is in Cosign and produces a different impact (denial-of-service via endless-data response). Here, the result is silent substitution of a different digest, which can lead to consumption of a vulnerable or attacker-crafted image even when the user thinks they are pulling a known-good tag.

Detection

Audit Kyverno policies that resolve image digests via the verifyImages or context-loading paths. Cross-reference the resolved digests with the digests returned directly from a trusted client (e.g., crane digest) and treat any divergence as a signal. Operators with mirroring registries or running their own should treat registry compromise as the prerequisite — investigate registry access logs for unexpected pushes or pulls during the affected period.

Mitigation

Upgrade Kyverno to v1.10.5 or v1.11.0 or later. The vulnerability was found during a CNCF-funded security audit by Ada Logics (facilitated by OSTIF).

Workarounds: pull only from trusted registries, pin images by digest end-to-end (so any swap is detectable downstream), and pair Kyverno's verifyImages with Cosign signature verification rather than relying on digest checks alone.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References