kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Linux cgroups release_agent container escape (CVE-2022-0492)
CVE-2022-0492 lets containers with CAP_SYS_ADMIN escape via cgroup v1's release_agent. Impact, timeline, and concrete remediation steps inside.
containerd-shim abstract Unix socket container escape (CVE-2020-15257)
CVE-2020-15257 let containers sharing a host network namespace abuse containerd-shim's abstract socket API. Here's the impact, fix, and remediation path.
Kubernetes validating admission webhook bypass (CVE-2021-25735)
CVE-2021-25735 let attackers bypass Kubernetes validating admission webhooks on Node objects via a kube-apiserver flaw. Here's the fix and detection path.
Kubernetes kubelet symlink volume mount escape (CVE-2021-25741)
CVE-2021-25741 lets attackers escape subPath volume mounts in Kubernetes kubelet via a symlink race, exposing host files and enabling privilege escalation.
containerd CRI plugin mount escape (CVE-2022-23648)
CVE-2022-23648 let crafted pod volume specs bypass containerd's CRI mount isolation to reach arbitrary host files — versions, severity, and fixes.
Detecting container threats in OCI with Cloud Guard
How OCI Cloud Guard detects container threats in OKE — detector recipes, responder rules, real blind spots, and where Safeguard adds runtime and supply-chain coverage.
Kubernetes Python client aggregated API vulnerability (CVE-2022-3172)
CVE-2022-3172 lets a rogue aggregated API backend redirect authenticated Kubernetes API traffic, exposing Python client apps to credential theft.
Kubernetes RBAC misconfiguration explained
RBAC misconfigurations like wildcard rules and default service account bindings have powered real cluster takeovers, from CVE-2018-1002105 to Siloscape.
Argo CD Path Traversal via Malicious Helm Chart values.ya...
CVE-2022-24348 let attackers use a malicious Helm chart to path-traverse Argo CD's repo-server, exposing secrets across GitOps applications. Here's the fix.
Helm Chart Repository Index Cache Confusion Vulnerability...
CVE-2021-32690 is a Helm chart repository index cache confusion flaw fixed in 3.6.1 that could push users toward an unintended chart. Here's what matters.
runc Container Breakout via /proc/self/exe Overwrite (CVE...
CVE-2019-5736 let a malicious container overwrite the host runc binary, escaping isolation to gain root on the Docker or Kubernetes host.
containerd-shim Abstract Unix Socket Exposure Enabling Co...
CVE-2020-15257 lets processes in host-networked containers reach the containerd-shim socket and escape to the host. Impact, affected versions, and fixes explained.