What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2025-47281 — Kyverno DoS via improper JMESPath variable evaluation

HIGH7.7CVE-2025-47281GHSA-r5p3-955p-5ggq

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Affected projects: kyverno
Disclosed: July 22, 2025
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`<= 1.14.1`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.14.2`

References

Summary

A Denial-of-Service vulnerability exists in Kyverno due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function}}). This leads to a nil value being substituted into the policy structure. Subsequent processing by getValueAsStringMap, which expects string values, results in a panic due to a type assertion failure (interface {} is nil, not string).

Impact

The panic crashes Kyverno worker threads in the admission controller (and can lead to full admission controller unavailability in Enforce mode) and causes continuous crashes of the reports controller pod, leading to service degradation or unavailability. Any user with policy-create privileges can author a single line of YAML that takes the policy engine offline cluster-wide.

Detection

Audit policies for variable substitutions of the form {{@ | <name>}} where <name> is not a known JMESPath function. Inspect Kyverno controller logs for the panic signature:

panic: interface conversion: interface {} is nil, not string

Watch for repeated kyverno admission/reports controller restarts in the kyverno namespace (kubectl -n kyverno get pods -w) — sustained restarts shortly after a policy was applied is the classic signal.

Mitigation

Upgrade Kyverno to v1.14.2 or later.

Workarounds until patched:

Restrict who can create or update Policy and ClusterPolicy resources via tight RBAC.
Remove any existing policies using {{@}} piped through unfamiliar function names.
Apply admission policy that rejects Kyverno Policy resources containing the literal pattern {{@ | outside of a known allowlist of pipe targets.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References