What is Kubernetes security?

Kubernetes security encompasses the practices, tools, and configurations used to protect Kubernetes clusters, workloads, and data. It includes authentication, authorization (RBAC), network policies, pod security standards, secrets management, and runtime security.

What is the CKS certification?

The Certified Kubernetes Security Specialist (CKS) is a CNCF certification that validates expertise in securing Kubernetes clusters. It covers cluster setup and hardening, system hardening, minimizing microservice vulnerabilities, and supply chain security.

What are Kubernetes network policies?

Network policies are Kubernetes resources that control pod-to-pod and pod-to-external traffic. They act as a firewall for your cluster, allowing you to specify which pods can communicate with each other based on labels, namespaces, and ports.

What are Pod Security Standards?

Pod Security Standards (PSS) are predefined security profiles that define different levels of pod security restrictions: Privileged (unrestricted), Baseline (minimally restrictive to prevent known privilege escalations), and Restricted (heavily restricted following security best practices).

What is RBAC in Kubernetes?

Role-Based Access Control (RBAC) is a Kubernetes authorization mechanism that regulates access to resources based on user roles. It uses Role, ClusterRole, RoleBinding, and ClusterRoleBinding resources to define and assign permissions to users and service accounts.

How do I secure etcd in Kubernetes?

Secure etcd by enabling encryption at rest for secrets, using TLS for client-server communication, restricting access to etcd endpoints via firewall rules, enabling authentication, and running regular backups. etcd stores all cluster data including secrets.

What is a container escape attack?

A container escape attack occurs when a process breaks out of container isolation to access the host system or other containers. Common vectors include privileged containers, hostPath mounts, and kernel exploits. Mitigate with Pod Security Standards and seccomp profiles.

What tools are used for Kubernetes security scanning?

Popular Kubernetes security tools include Trivy (vulnerability scanning), Falco (runtime security), kube-bench (CIS benchmarks), OPA Gatekeeper and Kyverno (policy enforcement), Kubescape (security posture), and Cosign (image signing).

GHSA-rfgw-vmxp-hp5g — Falco default rules bypass via evasion techniques

HIGHGHSA-rfgw-vmxp-hp5g

Affected projects: falco
Disclosed: May 7, 2021
Last updated: April 28, 2026

Affected versions

Project	Vulnerable range
Falco	`<0.28.1`

Patched versions

Project	Fixed in
Falco	`0.28.1`

References

GHSA-rfgw-vmxp-hp5g

Summary

Multiple techniques were identified that allow attackers to circumvent Falco's default detection rule sets. The advisory describes four distinct bypass categories: writing a file to a temporary location and then moving it to the target path to evade file-write detection rules; using non-standard chmod modes (such as 0477 or 6777) that are not covered by rules checking only for 4777; crafting command lines that contain a trusted path string while still accessing sensitive files, exploiting the use of proc.cmdline with contains or startswith operators; and accessing files through system-level symlinks such as /proc/self/root or other existing symlinks to bypass rules that assume paths are absolute. These gaps affect users relying on Falco versions before 0.28.1 without applying updated rule sets.

Impact

Users relying on Falco's default rule sets without upgrading to version 0.28.1 or later may fail to detect common attack behaviors specifically crafted to evade rule conditions. The affected detection categories include file write monitoring, SUID/SGID permission changes, sensitive file reads (such as /etc/shadow), and path-based access monitoring. The advisory notes that the predefined rule sets are not intended to cover all possible attack cases and that users should customize rules to meet their specific environment's needs.

Detection

The advisory itself identifies the detection gaps present in rule sets shipped before version 0.28.1. Users running older Falco versions should verify their alerting coverage for the following patterns: file writes performed via a temporary file followed by a move operation; chmod calls using modes other than those explicitly listed in rules; sensitive file reads where the command line contains an expected trusted string alongside additional paths; and file access through symlinks such as /proc/self/root. Reviewing active Falco rule files for overly specific proc.cmdline contains and fd.name startswith conditions will identify rules susceptible to these bypass techniques.

Mitigation

Upgrade Falco to version 0.28.1 or later, which includes updated rule sets that address the identified bypass techniques. Note that newer rule sets specify a required_engine_version that may be incompatible with older Falco engine versions, making a full Falco version upgrade necessary rather than a rule-file-only update. After upgrading, customize the default rule sets to cover attack patterns specific to your environment — the default rules are designed to address main attack vectors and are not a comprehensive detection solution. Extending rules beyond the defaults, particularly for sensitive file access and permission changes, is strongly recommended.

References

GHSA-rfgw-vmxp-hp5g

Affected versions

Patched versions

References

Summary​

Impact​

Detection​

Mitigation​

References​

Summary

Impact

Detection

Mitigation

References