What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2025-1974 — ingress-nginx admission controller unauthenticated RCE

CRITICAL9.8CVE-2025-1974

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: March 23, 2025
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
ingress-nginx	`< v1.11.0`
ingress-nginx	`>= v1.11.0, <= v1.11.4`
ingress-nginx	`v1.12.0`

Patched versions

Project	Fixed in
ingress-nginx	`v1.11.5`
ingress-nginx	`v1.12.1`

References

Summary

A critical vulnerability in the ingress-nginx Validating Admission Controller allows an unauthenticated attacker with access to the pod network to achieve arbitrary code execution within the ingress-nginx controller process. In the default ingress-nginx installation the controller has access to all Secrets cluster-wide, meaning successful exploitation can result in full cluster Secret disclosure.

Impact

An unauthenticated attacker who can reach the ingress-nginx admission webhook endpoint from within the pod network can execute arbitrary code in the context of the ingress-nginx controller pod. Because the controller is granted cluster-wide read access to Secrets in a default installation, all Secrets in the cluster — including service account tokens and TLS certificates — are at risk of disclosure. This vulnerability is rated CRITICAL (CVSS 9.8) due to the lack of required authentication, the absence of user interaction, and the high impact across all three security properties (confidentiality, integrity, availability).

Detection

There are no known indicators of compromise that confirm this vulnerability has been exploited. Verify whether ingress-nginx is present in your cluster and check the running version:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
kubectl get deployment -n ingress-nginx ingress-nginx-controller -o jsonpath='{.spec.template.spec.containers[*].image}'

If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io.

Mitigation

Upgrade ingress-nginx immediately to one of the patched versions:

v1.11.5 or later (for the 1.11.x release line)
v1.12.1 or later (for the 1.12.x release line)

Refer to the Upgrading Ingress-nginx documentation for upgrade instructions.

Before applying the patch, this vulnerability can be mitigated by disabling the Validating Admission Controller functionality of ingress-nginx. Disabling the admission webhook reduces functionality but removes the unauthenticated attack surface until the upgrade can be applied.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References