What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2025-7342 — Kubernetes Image Builder default credentials in Windows images

HIGH7.5CVE-2025-7342

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected projects: kubernetes
Disclosed: July 21, 2025
Last updated: April 30, 2026

Affected versions

Project	Vulnerable range
kubernetes-sigs/image-builder	`<= v0.1.44`

Patched versions

Project	Fixed in
kubernetes-sigs/image-builder	`v0.1.45`

References

Summary

Kubernetes Image Builder versions v0.1.44 and earlier enable default credentials on Windows VM images during the build process when using the Nutanix or VMware OVA providers. These default credentials, which allow root (Administrator) access, are intended to be disabled upon completion of the build. However, an attacker who can access the build VM during the active build process could exploit these credentials to modify the resulting image.

Impact

Kubernetes clusters are only at risk if their nodes use Windows VM images produced by Image Builder with the Nutanix or OVA provider, and only if an attacker was able to access the build VM during the image build process. Exploitation requires network access to the build VM during the build window and interaction from the user running the build. An attacker who successfully modifies the image during this window can achieve persistent, root-level access to any cluster node booted from the tampered image, leading to full node compromise and potential cluster-wide impact.

Detection

On affected Windows nodes, check whether the Administrator account remains enabled and review its last logon time:

Get-LocalUser -Name Administrator | Select-Object Name,Enabled,SID,Lastlogon | Format-List

If you find evidence that this vulnerability has been exploited, contact security@kubernetes.io. Additionally, verify the Image Builder version used to produce your node images using one of the following methods:

For git clones: cd <image-builder-repo> && make version
For tarball installs: grep -o 'v0\.[0-9.]*' RELEASE.md | head -1
For container image releases: docker run --rm <image-pull-spec> version

Mitigation

Upgrade Kubernetes Image Builder to v0.1.45 or later and rebuild any affected Windows VM images. Redeploy nodes using the rebuilt images.

Prior to upgrading, set a strong password for the Administrator account on any affected VMs:

net user Administrator <new-password>

Alternatively, use Image Builder v0.1.41 or later and explicitly set the admin_password JSON variable or the WINDOWS_ADMIN_PASSWORD environment variable when running builds. Starting with v0.1.45, omitting both variables causes the build to fail rather than use a default credential.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References