What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2025-46342 — Kyverno bypass of policy rules using namespace selectors

HIGH8.6CVE-2025-46342GHSA-jrr2-x33p-6hvc

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected projects: kyverno
Disclosed: April 29, 2025
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`<= 1.13.4, <= 1.12.7, <= 1.11.5`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.14.0, 1.13.5`

References

Summary

Due to a missing error propagation in GetNamespaceSelectorsFromNamespaceLister in pkg/utils/engine/labels.go, policy rules using namespace selector(s) in their match statements may mistakenly not apply during admission review request processing. As a consequence, security-critical mutations and validations are bypassed, potentially allowing attackers with Kubernetes API access to perform malicious operations.

Impact

When Kyverno handles an admission webhook, the function calls a NamespaceLister to retrieve the namespace's labels. If the lister returns an error, the helper swallows the error and returns an empty label map — equivalent to a namespace without any labels. Policy rules that match on namespace labels (e.g., matchExpressions: [{key: label1, operator: Exists}]) are then evaluated against an empty label set and silently skipped. The Kube API request is accepted without the security-relevant patches and validations.

In environments where Kyverno is the primary admission control for sensitive operations (PSA enforcement, image policy, ConfigMap protection), this is a complete bypass for the affected rules. The CVSS score (8.6) reflects that the bypass is silent and applies in production traffic.

Detection

Kyverno emits no specific signal when this swallowing occurs. Indirect signs:

Policy reports show no entries for resources that should have been matched by namespace-selector-scoped rules.
Admission audit logs show requests passing without the expected mutation patches applied.
Kyverno controller logs may contain transient lister errors around the affected periods.

For a definitive review, audit any policy whose match block uses namespaceSelector and re-run those policies against the live cluster (kyverno apply --report) on a patched version.

Mitigation

Upgrade Kyverno to v1.14.0 or v1.13.5 (or later on the matching line). Versions 1.11 and 1.12 do not have a fix and must be upgraded to a supported line.

Workaround until patched: avoid relying on namespace-selector-scoped rules for security-critical enforcement. Where possible, replace with explicit per-namespace Policy resources or use match.any.resources.namespaces lists, which do not rely on the affected helper.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References