What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2026-41323 — Kyverno apiCall leaks admission ServiceAccount token

HIGH8.1CVE-2026-41323GHSA-f9g8-6ppc-pqq4

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected projects: kyverno
Disclosed: April 15, 2026
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`< 1.16.4`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.16.4`

References

Summary

Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller's SA has permissions to patch webhook configurations, a stolen token leads to full cluster compromise.

Impact

Two issues combine. First, the service URL flows from the policy spec straight into http.NewRequestWithContext() — no scheme check, no IP restriction, no allowlist. Second, if the request does not already have an Authorization header, Kyverno reads its own SA token from /var/run/secrets/kubernetes.io/serviceaccount/token and injects it as a Bearer token. With the default Helm install, the kyverno-admission-controller SA can read and PATCH MutatingWebhookConfiguration and ValidatingWebhookConfiguration — so a leaked token gives the attacker the ability to bypass or manipulate cluster-wide admission.

Anyone with permission to create or update ClusterPolicy (a relatively common cluster-admin / platform-team grant) can author a policy whose apiCall.service.url points at an attacker-controlled host and harvest the token from the inbound request.

Detection

Audit ClusterPolicy resources for apiCall references whose service.url resolves to an external host or IP. In particular, look for:

URLs not pointing at in-cluster services (no .svc suffix, no internal DNS suffix, public IP)
URLs with explicit IP literals (especially RFC 1918 / link-local) that the admission controller would still resolve
Recently-created or recently-modified policies authored by an unexpected subject

Cluster operators should also review the audit log for update/patch actions on MutatingWebhookConfiguration / ValidatingWebhookConfiguration performed by the kyverno admission controller's SA outside of expected reconciliation windows.

Mitigation

Upgrade Kyverno to v1.16.4 or later on the 1.16.x line. Users on the 1.17.x branch should track GHSA-qr4g-8hrp-c4rw, which addresses the same class of issue on that line and is patched in 1.18.0.

Workarounds until patched:

Restrict who can create or update ClusterPolicy resources via tight RBAC.
Audit and remove existing ClusterPolicy definitions that use apiCall.service.url pointing outside the cluster.
If apiCall is essential, scope the admission controller's SA more tightly (remove webhook-config patch rights where not strictly required) and rotate the SA token after upgrade.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References