What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2026-41485 — Kyverno forEach mutation panic crashes controllers

HIGH7.7CVE-2026-41485GHSA-fpjq-c37h-cqcv

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Affected projects: kyverno
Disclosed: April 22, 2026
Last updated: April 27, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`>= 1.13.0, <= 1.17.1, <= 1.16.3`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.17.2, 1.16.4`

References

Summary

An unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller into a persistent CrashLoopBackOff. The same bug also causes the admission controller to drop connections and block all matching resource operations. The crash loop persists until the policy is deleted. The vulnerability is confined to the legacy engine — CEL-based policies are unaffected.

Impact

A forEach rule with a patchesJson6902 field that contains a variable substitution resolving to nil at runtime triggers an unrecoverable Go panic in pkg/engine/mutate/mutation.go. When a mutateExisting rule triggers, the admission controller creates an UpdateRequest resource that the background controller processes asynchronously — this resource survives controller restarts, re-triggering the panic on every restart until the policy or UpdateRequest is deleted. The admission controller survives the panic per request (Go's net/http absorbs handler panics) but drops the connection and blocks the matching operation.

Net effect: a single Policy authored by anyone with policies create rights renders the cluster's policy engine unusable until an operator manually intervenes.

Detection

Audit kubectl -n kyverno logs for the panic signature:

panic: interface conversion: interface {} is nil, not string

Look for Policy or ClusterPolicy resources whose forEach rules use patchesJson6902 with variable substitutions referencing fields that may resolve to nil at runtime (e.g., {{ element.nonexistent }}). Pair the audit with a check for unexpected UpdateRequest resources in the kyverno namespace, since those drive the background controller's crash loop.

Mitigation

Upgrade Kyverno to v1.17.2 or v1.16.4 (or later on the matching line). The vulnerable code path was introduced in v1.13.0; releases before that line are unaffected by this specific bug, but other policy-engine concerns apply.

There is no clean workaround on affected versions. As an interim measure, restrict who can create or update Policy and ClusterPolicy resources via RBAC, and prefer CEL-based policies over the legacy engine where possible — CEL policies are not affected.

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References