What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

CVE-2026-49445 — Sensitive information disclosure via local Envoy admin socket

CRITICAL9.2CVE-2026-49445GHSA-3fcv-jvfp-m4q9

CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
Affected projects: cilium
Disclosed: June 1, 2026

Affected versions

Project	Vulnerable range
cilium	`>= 1.19.0, < 1.19.2`
cilium	`>= 1.18.0, < 1.18.8`
cilium	`< 1.17.14`

Patched versions

Project	Fixed in
cilium	`1.19.2`
cilium	`1.18.8`
cilium	`1.17.14`

References

GHSA-3fcv-jvfp-m4q9

Summary

When Cilium L7 functionality is enabled on a cluster, the Envoy instance supporting this functionality creates a world-accessible socket on cluster nodes. A local attacker can access Envoy admin endpoints, potentially exposing TLS secrets, disrupting cluster traffic, or terminating the Envoy process. This issue affects both the embedded and standalone Envoy deployment models.

Impact

A local attacker on a cluster node can reach Envoy admin endpoints through the world-accessible socket that Cilium creates when L7 functionality is enabled. Depending on deployment configuration, this can result in exposure of TLS secrets, disruption of traffic in the cluster, or termination of the Envoy process. Both the embedded and standalone Envoy deployment models are affected across Cilium v1.17, v1.18, and v1.19 release branches.

Detection

The advisory does not provide specific detection guidance. Because exploitation requires local access to the Envoy admin socket on a cluster node, monitor for unexpected local access to that socket and restrict node access to trusted operators. Consult the Cilium security advisory linked below for any detection guidance the Cilium community publishes.

Mitigation

Upgrade Cilium to a patched release:

Cilium v1.19.x: upgrade to v1.19.2 or later
Cilium v1.18.x: upgrade to v1.18.8 or later
Cilium v1.17.x and earlier: upgrade to v1.17.14 or later

There is no known workaround for this issue. Upgrading to a patched release is the only remediation.

References

GHSA-3fcv-jvfp-m4q9 — Cilium GitHub Security Advisory

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References