What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2025-1097 — ingress-nginx config injection via auth-tls-match-cn annotation

HIGH8.8CVE-2025-1097

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: March 23, 2025
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
ingress-nginx	`< v1.11.0`
ingress-nginx	`>= v1.11.0, <= v1.11.4`
ingress-nginx	`v1.12.0`

Patched versions

Project	Fixed in
ingress-nginx	`v1.11.5`
ingress-nginx	`v1.12.1`

References

Summary

A security issue in ingress-nginx allows users with permission to create or update Ingress resources to inject arbitrary nginx configuration via the auth-tls-match-cn annotation. This annotation, intended for specifying a CN pattern for client certificate validation, is processed by the controller without sufficient sanitization. A malicious value can break out of the intended configuration block and execute arbitrary code within the controller process.

Impact

Any authenticated Kubernetes user who can create or modify Ingress resources — including users with limited namespace-scoped RBAC permissions — can exploit this vulnerability to achieve arbitrary code execution in the ingress-nginx controller. In the default installation, the controller holds cluster-wide read access to all Secrets, making this vulnerability a path to full cluster Secret disclosure. The CVSS score of 8.8 reflects that authentication is required (PR:L) but no user interaction is needed and all three impact categories are high.

Detection

Review Ingress resources across all namespaces for suspicious values in the auth-tls-match-cn annotation:

kubectl get ingress --all-namespaces -o json | \
  jq -r '.items[] | select(.metadata.annotations | keys[] | test("auth-tls-match-cn")) | [.metadata.namespace, .metadata.name, .metadata.annotations["nginx.ingress.kubernetes.io/auth-tls-match-cn"]] | @tsv'

Unexpected nginx directives, newlines, or block syntax within the annotation value may indicate an exploitation attempt. If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.

Mitigation

Upgrade ingress-nginx immediately to one of the patched versions:

v1.11.5 or later (for the 1.11.x release line)
v1.12.1 or later (for the 1.12.x release line)

Refer to the Upgrading Ingress-nginx documentation for upgrade instructions.

There is no published pre-patch workaround specific to this annotation. Restricting Ingress creation permissions to trusted users reduces the attack surface while an upgrade is being planned.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References