What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2026-22039 — Kyverno cross-namespace privilege escalation via Policy apiCall

CRITICAL10.0CVE-2026-22039GHSA-8p9x-46gm-qfx2

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected projects: kyverno
Disclosed: January 27, 2026
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`<= 1.16.2, <= 1.15.2`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.16.3, 1.15.3`

References

Summary

A critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved urlPath is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy's namespace.

Any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno's admission identity, targeting any API path allowed by that SA's RBAC. This breaks namespace isolation by enabling cross-namespace reads (e.g., ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (e.g., creating ClusterPolicy) by controlling the urlPath through context variable substitution.

Impact

CVSS 10.0 (Critical) — the worst-case vector for an in-cluster vulnerability. Any namespace admin in the cluster can:

Read Secrets and ConfigMaps in any namespace the kyverno admission SA can read
Create cluster-scoped resources (ClusterPolicy, ClusterRoleBinding if available, etc.) by issuing PUT/POST through the kyverno SA
Pivot from a single tenant namespace to cluster-admin equivalence

Variable substitution feeds into URLPath without sanitization, and the resulting path is passed directly to client.RawAbsPath, so the request is unrestricted by Kyverno's own logic.

Detection

Audit Policy resources for context blocks containing apiCall.urlPath references that include variable substitutions resolving outside the policy's own namespace — for example /api/v1/namespaces/{{ request.object.metadata.namespace }}/secrets/... where metadata.namespace is attacker-controlled, or paths like /apis/kyverno.io/v1/clusterpolicies.

Pair with audit-log review for unusual get/list/create/update activity from the kyverno admission controller's SA to namespaces or cluster-scoped resources outside the kyverno namespace's normal scope.

Mitigation

Upgrade Kyverno to v1.16.3 or v1.15.3 (or later on the matching line). Note that this fix was incomplete for the related ConfigMap loader path — see CVE-2026-41068, which targets the same pattern in a different code path and is patched in v1.17.2.

Workarounds until patched:

Restrict who can create or update namespaced Policy resources via tight RBAC, especially in shared / multi-tenant clusters.
Audit all existing apiCall usages and remove anything where urlPath references variables sourced from the request object.
Consider scoping the kyverno admission controller's SA more tightly so that the cluster-wide blast radius is reduced even if a future bypass is found.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References