What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

GHSA-qr4g-8hrp-c4rw — Kyverno apiCall non-blind SSRF via variable substitution

HIGH7.7GHSA-qr4g-8hrp-c4rw

CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected projects: kyverno
Disclosed: April 13, 2026
Last updated: April 28, 2026

Affected versions

Project	Vulnerable range
github.com/kyverno/kyverno	`1.17.1`

Patched versions

Project	Fixed in
github.com/kyverno/kyverno	`1.18.0`

References

GHSA-qr4g-8hrp-c4rw

Summary

A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's apiCall.service.url feature allows authenticated users to cause the admission controller to send arbitrary HTTP requests to attacker-controlled or internal endpoints. When a ClusterPolicy uses variable substitution in the service URL (for example, http://{{ request.object.metadata.annotations.target }}), user-controlled input can influence the request destination. The vulnerability is non-blind: response data from internal services is reflected back to the user through admission webhook error messages, enabling data exfiltration directly via kubectl output. The HTTP execution path lacks URL validation, IP range filtering, and redirect-chain restrictions.

Impact

Authenticated cluster users can direct Kyverno to issue requests to loopback addresses, link-local ranges such as cloud instance metadata endpoints, internal ClusterIP services, and arbitrary external hosts by supplying crafted resource fields or annotations that influence a URL template. Because non-2xx response bodies and JSON parse failures are propagated back in admission error messages, the SSRF is non-blind: retrieved content is directly readable from kubectl apply output. The advisory notes multi-tenant boundary violation as an impact, as Kyverno's privileged ServiceAccount executes these requests regardless of the requesting user's actual permissions.

Detection

Inspect all ClusterPolicy and Policy resources for apiCall.service.url fields containing variable substitution patterns such as {{ request.object.* }}. Review Kubernetes API server audit logs for admission webhook responses that include unexpected error bodies containing IP addresses or internal service content. Monitor for policy-driven HTTP requests to link-local ranges (169.254.0.0/16), loopback (127.0.0.1), or internal cluster service addresses.

Mitigation

Upgrade Kyverno to version 1.18.0 or later, which addresses the missing URL validation and filtering in the apiCall HTTP execution path. Until the upgrade is complete, audit all policies that use apiCall.service.url with variable substitution and either remove them or replace the variable-derived URL segments with hardcoded trusted values. Apply network egress policies on the Kyverno controller pods to restrict outbound connections to approved endpoints, reducing the exploitable surface for SSRF.

References

GHSA-qr4g-8hrp-c4rw

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References