What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

GHSA-gg4x-fgg2-h9w9 — Kyverno policy bypass via double PolicyException

CRITICAL9.1GHSA-gg4x-fgg2-h9w9

CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected projects: kyverno
Disclosed: January 6, 2026
Last updated: April 28, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`v1.9.0 - v1.12.7`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`v1.13.0`

References

GHSA-gg4x-fgg2-h9w9

Summary

When a Kyverno cluster has a policy in enforce mode and two separate PolicyException resources that match the same policy rule, the second exception can override the restrictions imposed by the first. This allows a workload to bypass an enforce-mode policy if it satisfies any one of the configured exceptions — even when the first exception is more restrictive and would have blocked that workload. The flaw exists in how Kyverno evaluates multiple concurrent exceptions for the same rule: a match on the less-restrictive second exception is sufficient to grant the bypass regardless of the first exception's conditions.

Impact

An attacker or misconfigured workload can bypass an otherwise strictly enforced security policy by ensuring the resource satisfies a broadly-scoped PolicyException. The advisory demonstrates this with a disallow-host-path enforce-mode policy: a workload that would be blocked by the namespace-scoped first exception is permitted if its name matches the wildcard pattern (*ingress*) in a second exception, regardless of which namespace it resides in. This creates a path to privilege escalation through techniques such as hostPath volume mounting. All Kyverno deployments running versions v1.9.0 through v1.12.7 with two or more PolicyException resources targeting the same rule are potentially affected.

Detection

Audit the cluster for PolicyException resources (in the kyverno.io/v2beta1 API group) that reference the same policyName and ruleNames as another PolicyException. Pay particular attention to exceptions that use names-based wildcard matching (e.g., names: ['*ingress*']) alongside namespace-scoped exceptions. Review PolicyReport and ClusterPolicyReport resources for unexpected pass results on enforce-mode policies to identify workloads that may have exploited the double-exception bypass.

Mitigation

Upgrade Kyverno to v1.13.0 or later, which corrects the exception evaluation logic. After upgrading, audit all PolicyException resources and ensure that no overlapping exceptions exist for the same policy rule where the less-restrictive exception could be satisfied by a workload the more-restrictive exception was intended to block. Where possible, consolidate multiple exceptions for the same rule into a single PolicyException with explicit conditions, reducing the risk of unintended bypass through evaluation ordering.

References

GHSA-gg4x-fgg2-h9w9

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References