All news with #kubernetes security tag

⚡ GKE’s Cloud Storage FUSE Profiles automate performance tuning for AI/ML workloads by providing pre-defined, dynamically managed StorageClasses optimized for training, serving, and checkpointing. Instead of manually adjusting many mount and CSI options, users select a profile and GKE scans the bucket and node resources to calculate cache sizes and backing media. The CSI driver mounts the volume with those calculated options and dynamically adjusts cache behavior using real-time signals to maximize throughput while protecting node stability.

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.

🔔 Amazon CloudWatch now offers Container Insights with OpenTelemetry metrics for Amazon EKS in public preview. The feature collects OTLP metrics from open source and AWS collectors, enriches each metric with up to 150 labels, and supplies curated dashboards and PromQL query support in CloudWatch Query Studio. Deployment is available via the CloudWatch Observability EKS add‑on, console, CloudFormation, CDK, or Terraform, and preview metrics are free.

🔒 Kubernetes clusters can be undermined by the very automation that makes them resilient. By registering or compromising a controller—most commonly via a MutatingWebhookConfiguration—an attacker can intercept pod-creation requests and inject a covert sidecar, turning the cluster’s control loop into a self-healing backdoor. These injections are often invisible to casual inspection, survive pod restarts and upgrades, and can be disguised under benign names. Teams should audit webhooks, monitor RoleBindings and OwnerReferences, and restrict webhook registration to reduce this risk.

🔧 Cloudflare engineers traced repeated 30-minute Atlantis restarts to Kubernetes recursively changing file ownership on a large PersistentVolume. The default pod securityContext behavior (fsGroup combined with fsGroupChangePolicy: Always) caused kubelet to run an expensive recursive chgrp across millions of files, creating a mounting bottleneck. By validating that file group ownership would remain stable and setting fsGroupChangePolicy: OnRootMismatch, restarts dropped to ~30 seconds. That single-line change recovered roughly 50 engineering hours per month (about 600 hours per year).

⚡ DRA (Dynamic Resource Allocation) modernizes Kubernetes device management by replacing static Device Plugins with a request-based model built on ResourceSlice and ResourceClaim. It enables granular, attribute-based requests such as minimum VRAM, specific hardware models, or PCIe locality, and abstracts hardware via DeviceClass so the scheduler can match workloads to suitable devices. NVIDIA contributed a GPU driver and Google donated a TPU driver, and DRA is generally available in GKE. This reduces manual node pinning and improves utilization for LLM and AI workloads.

⚠️ Security researchers report that TeamPCP published backdoored litellm packages (v1.82.7 and v1.82.8) to PyPI on March 24, 2026, likely leveraging a Trivy compromise in the project's CI/CD. The malicious wheels included a three-stage payload: a credential harvester, a Kubernetes lateral-movement toolkit, and a persistent systemd backdoor executed at import or interpreter startup. Vendors removed the tainted releases and urge immediate audits, isolation of affected hosts, credential rotation, and inspection of Kubernetes clusters for rogue pods and persistence.

🔒 Google links the North Korean actor UNC4899 to a 2025 cloud compromise that leveraged personal-to-corporate file transfers (AirDrop) and malicious code embedded in a shared archive. Attackers pivoted from a compromised developer device into Google Cloud, abused CI/CD and Kubernetes workflows, and manipulated Cloud SQL to extract funds. The campaign employed living-off-the-cloud techniques and persisted by injecting commands into deployment configurations. Recommended mitigations include phishing-resistant MFA, strict secrets management, and restricting P2P file sharing on corporate endpoints.

💡 This post shows how to combine GKE Autopilot GPU time-sharing with vCluster to host isolated Ollama instances serving open models on shared GPU nodes. It outlines steps to provision Autopilot, create virtual clusters, deploy Ollama with GPU-sharing labels, and pull models for verification. The approach reduces GPU underutilization and simplifies multi-tenant operations. Teams keep isolated control planes while sharing hardware, lowering costs and operational overhead.

🚀 Google Cloud now provides native custom metrics for GKE Horizontal Pod Autoscaler (HPA), eliminating the need for external adapters, agents, and complex Workload Identity bindings. The agentless design sources pod metrics directly and exposes them via a new AutoscalingMetric controller, reducing latency, cost, and operational fragility. Users declare an AutoscalingMetric that points to a pod metric and reference it in an HPA, allowing HPAs to scale on custom workload signals just like CPU or memory. Google frames this as an initial step toward intent-based autoscaling for AI, gaming, batch, and other demanding workloads.

🚀 Google Cloud demonstrates how Google Kubernetes Engine (GKE) can form a high-performance foundation for telco modernization via two complementary paths: cloud-centric evolution for full cloud migration and strategic hybrid modernization to retain local control over latency-sensitive functions. The post highlights carrier-grade enhancements—multi-networking API, simulated L2, a telco CNI, persistent IP, and GKE IP route—with sub-second convergence and HA Policy to minimize downtime. It frames modernization as a means to enable predictive AIOps, intent-driven automation, faster time-to-market, and new monetization opportunities through AI and data platforms.

🔒 New Kubernetes clusters are probed and often attacked within minutes, with honeypots run by Palo Alto Networks, Wiz and Aqua Security showing initial compromise attempts in roughly twenty minutes and repeated automated scans against container ports. The platform's permissive defaults and complex model make standard cloud controls insufficient. Organizations should adopt Kubernetes-specific controls: harden and automate RBAC, isolate workloads with network and namespace policies, store secrets in dedicated key management services, perform regular audits, and train developers on platform-specific threats and secure CI/CD practices.

🔓 Amazon EKS Node Monitoring Agent is now open source on GitHub, giving operators visibility into the agent's implementation and the ability to contribute or customize its behavior. The agent automatically monitors node-level system, storage, networking, and accelerator issues and publishes them as node conditions used by Amazon EKS for automatic node repair. It is included in Amazon EKS Auto Mode and available as an add-on in all AWS Regions. Cluster administrators can inspect, adapt, and participate in the agent's ongoing development to better fit their operational needs.

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.

⚠ Four vulnerabilities were disclosed in the open source Ingress NGINX controller used in Kubernetes, with two rated CVSS 8.8. CVE-2026-1580 can enable authentication bypass when a misconfigured custom-errors backend ignores the X-Code header, and CVE-2026-24512 allows configuration injection via rules.http.paths.path, enabling code execution and secret disclosure. The other two issues pose lower or medium risks, including a potential DoS. Affected releases are 1.13.7 and below and 1.14.3 and below, and the only reliable mitigation is upgrading or migrating before Ingress NGINX reaches end of support.

🚀 AWS Batch now supports unmanaged compute environments on Amazon EKS, extending Batch's job scheduling and orchestration to clusters you manage directly. You can create compute environments via the CreateComputeEnvironment API or the AWS Batch console by selecting an existing EKS cluster and specifying a Kubernetes namespace, then associate nodes using kubectl labels. This option preserves customer control over Kubernetes infrastructure for security, compliance, or operational requirements and is available today in all regions where AWS Batch operates.

🔍 A newly identified cloud-native Linux malware framework named VoidLink targets modern cloud and container environments, providing custom loaders, implants, rootkits, and memory-loaded plugins. According to Check Point, it is written in Zig, Go, and C and adapts behavior based on Kubernetes, Docker, and cloud metadata queries. Communications can use HTTP, WebSocket, DNS tunneling, or ICMP encapsulated in a custom encrypted layer VoidStream, and the framework includes extensive anti-forensics and runtime protections. Analysts assess it appears under active development and may be a commercial or customer-targeted framework rather than evidence of a current widespread campaign.

🔐 Amazon EKS now offers centralized network policy controls with ClusterNetworkPolicy and DNS-based egress filtering to improve protection for Kubernetes workloads and their external integrations. These enhancements build on existing Kubernetes NetworkPolicies in the Amazon VPC CNI and enable cluster-wide enforcement of access filters. The features are available for new EKS clusters running Kubernetes 1.29+ in all commercial AWS Regions; support for existing clusters will follow. ClusterNetworkPolicy requires VPC CNI v1.21.0+, while DNS-based policies are supported in EKS Auto Mode-launched EC2 instances.

🔒 The Cortex Cloud team at Palo Alto Networks is hosting a technical webinar that dissects three recent cloud investigations and demonstrates practical defenses. Speakers will reveal the mechanics of AWS identity misconfigurations, techniques attackers use to hide malicious artifacts by mimicking AI model naming, and how overprivileged Kubernetes entities are abused. The session emphasizes Code-to-Cloud detection, runtime intelligence, and audit-log analysis to close visibility gaps; register to attend the live deep dive.

🔍 This post previews Google's new design recommendation for leveraging GKE's flat network, explaining how it differs from island-mode networking and how teams can adapt existing architectures. It highlights recommended patterns and a reference design that emulates island-mode behavior within the flat model. The guidance focuses on IP address management, scalability, and integration points to ease migration for critical workloads such as generative AI.