Cybersecurity
Kubernetes security
CVEs in the Kubernetes ecosystem, hardening practices, supply-chain risks, and the policy-engine landscape.
Kubernetes security spans the cluster (RBAC, network policies, admission control), the workload (pod security standards, runtime monitoring), and the supply chain (image provenance, SBOMs, signed artifacts). Notifire tracks CVE disclosures, hardening advisories, and the policy-engine releases that change the default-secure posture.
The category most likely to drive an on-call page is supply-chain: container images pulled from public registries with no provenance verification, then deployed via Helm charts that haven't been audited. The 2024 Linux/XZ backdoor was a wake-up call that's reshaping default trust assumptions.
Latest briefings on Kubernetes security
Infra
Argo CD Now Verifies Your Code’s Origin
The popular cloud deployment tool Argo CD is getting a major security boost. Its latest update adds features to verify that your code is authentic and to encrypt internal traffic, helping to secure your software supply chain.
Ashish Kale ·
Infra
Get a Clearer View of Your Kubernetes AI Jobs
A new plugin for the Headlamp Kubernetes UI now supports Volcano, a popular batch scheduler for AI and high-performance computing. This gives developers a simple web interface to inspect and manage complex batch jobs directly within Kubernetes.
Ashish Kale ·
Infra
Azure Kubernetes Now Runs Demanding AI and Bare Metal
Microsoft has updated its Azure Kubernetes Service with new features for AI, bare metal servers, and managing multiple clusters. This helps teams run more demanding applications and simplifies large-scale operations on the cloud.
Ashish Kale ·
Infra
Old Pixel Phones Power a New Private Cloud
Google and UC San Diego are building a private cloud using 2,000 retired Pixel phones. This project explores a sustainable, low-cost way to create computing infrastructure and reduce electronic waste from discarded smartphones.
Ashish Kale ·
Infra
Getting Kubernetes Certified Just Became Much Simpler
The CNCF, Linux Foundation, and Udemy have partnered to offer a unified training and certification path. This makes it much easier for developers to purchase courses and sit for official Kubernetes exams like CKA, CKAD, and CKS.
Ashish Kale ·
Security
Container Security Threats Are Evolving
As Docker and Kubernetes become standard for modern infrastructure, attackers are developing sophisticated new methods to compromise them. Research highlights a growing trend of attacks, from container escapes to complex supply chain compromises, targeting these widely used technologies and the companies that rely on them.
Neeraj Dhiman ·
Security
Gitea Flaw Exposes Private Images
A critical vulnerability in the Gitea self-hosted Git platform allows unauthenticated attackers to access and pull private container images. The flaw, affecting all versions before 1.26.2, requires no credentials for exploitation, posing a significant risk of intellectual property and sensitive data exposure.
Neeraj Dhiman ·
Security
Critical Linux Flaw Lets Attackers Escape Containers
Two critical vulnerabilities in systemd, a core Linux component, could allow attackers to escape containers or manipulate DNS records. The flaws affect widely used distributions, including Ubuntu 22.04 LTS.
Neeraj Dhiman ·
Security
Critical Linux Kernel Flaw Patched
Ubuntu has patched several critical vulnerabilities in the Linux kernel. One major flaw, dubbed 'Copy Fail,' affects the kernel's cryptography module and could allow a local attacker to gain higher privileges on a system or escape from a container, posing a significant security risk.
Neeraj Dhiman ·
AI
Your Team's Culture Is Its New Operating System
Kubernetes co-creator Craig McLuckie argues that as AI tools change development, a deliberate team culture becomes the most critical factor for success. This shift affects everything from open source contributions to career paths.
Neeraj Dhiman ·
Infra
Stop Manually Syncing Kubernetes Secrets
As Kubernetes environments grow, teams often copy sensitive data like API keys across accounts, creating a security risk. A tool called External Secrets Operator automates this, keeping secrets in one place and syncing them securely.
Ashish Kale ·
Infra
NGINX Ingress Controller Now Natively Secures Traffic
NGINX Ingress Controller now natively supports mutual TLS (mTLS), making it much simpler for teams to secure traffic between services. This update helps enforce zero-trust security policies directly within Kubernetes without complex workarounds.
Ashish Kale ·
Infra
A New Tool to Find Your Kubernetes VM Bottlenecks
A new open-source tool called `virtbench` helps teams measure the performance of virtual machines running on Kubernetes. It fills a critical gap, as traditional tools don't capture the full picture of infrastructure performance.
Ashish Kale ·
Infra
New AI SRE Tool Helps Tame Alert Storms
A new open-source tool called Nightwatch uses an AI agent to investigate system issues in real time. It groups alerts into incidents and flags noisy checks, helping teams reduce alert fatigue and resolve outages faster.
Ashish Kale ·
Infra
Expanse Aims to Unlock GPU Capacity
Expanse, a new YC-backed startup, has launched a tool to increase the efficiency of GPU clusters. It analyzes job scripts and code before execution to predict the actual resources needed, aiming to reduce underutilization on platforms like Kubernetes and SLURM for AI and HPC workloads.
Ashish Kale ·
Infra
The Kubernetes Integration Tax Is Real
A CNCF blog post shares a real-world story about the 'integration tax' of cloud-native tools. An on-call engineer faced blank dashboards because Prometheus wasn't correctly configured to monitor Cilium, highlighting how complex integrations can cause serious production issues for engineering teams.
Ashish Kale ·
Infra
Formae adds Kubernetes and Helm support
Platform Engineering Labs has updated its open-source Infrastructure-as-Code tool, formae. The update introduces full Kubernetes support, native Helm integration, and compatibility with Terraform's .tfvars files. A new public plugin hub was also launched to simplify cloud-native infrastructure management.
Ashish Kale ·
Infra
AI Tool Simplifies Kubernetes Gateway Migration
A new AI-assisted tool, highlighted by the CNCF, helps engineers migrate from ingress-nginx to the Higress gateway. The tool demonstrated its efficiency by converting 60 complex resources in about 30 minutes, significantly simplifying a common task for Kubernetes infrastructure teams.
Ashish Kale ·
Infra
Kubernetes Corrects Old Security Records
The Kubernetes project is correcting historical CVE records for some older, unfixed vulnerabilities. This update will cause vulnerability scanners to flag new issues that were previously miscategorized. Teams should prepare to reassess their security posture based on the updated data before 2026.
Ashish Kale ·
Frequently asked questions
What's the single highest-impact Kubernetes security control?
Enabling Pod Security Standards at the "restricted" profile by default and using admission controllers (Kyverno, OPA Gatekeeper) to enforce them. This single change blocks the majority of container-escape patterns and forces workload teams to explicitly justify privileged exceptions.
How do you handle Kubernetes CVE patching at scale?
Maintain a managed-cluster footprint (EKS/GKE/AKS) so the control plane patches automatically; treat node images as immutable and roll them via a managed node-group rolling update; subscribe to vendor PSIRT advisories and the upstream kubernetes-security-announce list.
What's a SBOM and why does Kubernetes need it?
A software bill of materials lists every component inside a container image. With SBOMs published alongside images and signed via Sigstore/cosign, you can answer "are any of my running workloads affected by CVE-X?" in seconds instead of days. The Kubernetes project itself publishes signed SBOMs for every release.