< ciso
brief />
Tag Banner

All news with #kubernetes security tag

57 articles

GKE Blueprint for Securing AI Workloads at Scale

🔒 This article presents a blueprint for securing AI workloads on Google Kubernetes Engine (GKE), consolidating controls across Google Cloud services and GKE features to create a secure-by-default platform. It covers three layers—infrastructure, supply chain, and application—and details capabilities such as Confidential GKE Nodes, Workload Identity Federation, k8s-aibom for AI SBOMs, Model Armor, and the GKE Inference Gateway. The blueprint recommends a three-phase rollout: Deploy, Operate, and Govern, and emphasizes integrating Google Cloud controls to maintain security at enterprise scale.
read more →

GKE Autopilot Clusters with Managed DRANET

🛠️ This blog explains how to configure GKE Autopilot clusters to use GKE managed DRANET for GPU and TPU workloads. It outlines the setup flow: create a VPC, deploy an Autopilot cluster, define a custom ComputeClass, create a ResourceClaimTemplate for RDMA (GPUs) or netdev (TPUs), and deploy workloads that reference those resources. Examples and YAML snippets demonstrate GPU and TPU ComputeClasses, resource claim templates, and a deployment that binds pods to accelerators.
read more →

Argo CD flaw highlights GitOps as tier-zero risk

🔒 A critical vulnerability in Argo CD repo-server exposes risks inherent to GitOps platforms. Synacktiv found the unauthenticated GenerateManifest gRPC endpoint can be abused via Kustomize/Helm options to execute commands if an attacker can reach both the repo-server and Redis ports. The issue affects typical Helm deployments where Kubernetes network policies are not enabled by default, enabling lateral movement from a compromised pod. Synacktiv disclosed details July 1, 2026 and recommends strict network segmentation until a patch is available.
read more →

Secure container workloads with attribute-based rules

🛡️ AWS Network Firewall now supports container attribute-based rules for Amazon EKS and Amazon ECS, enabling firewall policies based on native container attributes (namespaces, pod names, labels, cluster names) instead of ephemeral IPs. This feature automatically discovers and tracks matching pods, dynamically updates IP-to-attribute mappings, and enriches alert logs with container context for easier troubleshooting and auditing. It integrates with Suricata-compatible rules, exports logs to CloudWatch Logs and S3, and can be configured via the AWS Console, CLI, or SDK with no additional feature charge.
read more →

Unpatched Argo CD repo-server flaw risks code execution

🔒 Synacktiv disclosed an unpatched vulnerability in Argo CD's repo-server that allows unauthenticated attackers to execute arbitrary commands if they can reach the component's internal gRPC port. The flaw abuses kustomize's --helm-command option to run attacker-controlled scripts, demonstrated against Argo CD v2.13.3, and can lead to full cluster takeover by leveraging exposed Redis credentials. There is no fixed release or CVE; operators must enable Kubernetes network policies to isolate repo-server and Redis until a patch is available.
read more →

AWS Network Firewall Adds Container Attribute Rules

🔒 Today AWS announced container attribute-based rules for AWS Network Firewall, allowing firewall policies to reference native container constructs like Namespace, Cluster Name, Labels for Amazon EKS, and Cluster Name and Container Instance Attributes for Amazon ECS. This removes the need for fragile IP-based rules that break when pods scale or restart and supports generative AI and other dynamic workloads. The feature supports TLS decryption, FQDN and URL category filtering, and GeoIP controls, and is available at no extra cost in supported regions.
read more →

June 2026 Threat Technique Catalog Update for AWS

🛡️ The AWS CIRT updated the Threat Technique Catalog for June 2026, adding five new entries focused on container security, organization-level trust, and compute hijacking. The update documents EKS workload modification, exploitation of public-facing Kubernetes services, sts:AssumeRoot abuse across AWS Organizations, compute hijacking in clusters, and account invitations into attacker-controlled organizations. It also refreshes three existing entries with expanded detection and mitigation guidance.
read more →

GKE Inference Gateway Boosts AI Inference Efficiency

🚀 GKE Inference Gateway uses prefix caching and model-aware routing to reduce accelerator idle time and speed up LLM inference. By matching request prefixes to pods that already hold the KV cache, it avoids repeated recomputation and lowers latency compared with naive round-robin load balancing. Independent benchmarks show 15.7% higher throughput, 92.8% faster time-to-first-token, and 62.6% lower inter-token latency. Snap reports 75–80% prefix cache hit rates in production integrations.
read more →

App-centric Maintenance Visibility in Unified Maintenance

🛠️ App-centric maintenance visibility in Unified Maintenance shifts focus from infrastructure to business services. By integrating with App Hub, Unified Maintenance aggregates maintenance schedules for registered resources—GKE clusters, GCE VMs, AlloyDB instances—into a single application-aware dashboard. This reduces manual mapping, speeds triage of performance issues against planned updates, and helps platform teams predict operational impacts across many projects.
read more →

Kaspersky Container Security: Practical Team Insights

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.
read more →

EKS Adds Karpenter Support for ARC Zonal Shift and Autoshift

🔁 Amazon EKS now supports Amazon Application Recovery Controller (ARC) zonal shift and zonal autoshift when using the open-source Karpenter for compute provisioning. ARC automates redirecting in-cluster network traffic away from an impaired AZ and can perform practice runs to validate cluster behavior. During a zonal shift, Karpenter stops provisioning in the impacted AZ, halts voluntary disruptions there, and avoids scheduling actions that depend on that zone. Enable support by setting ENABLE_ZONAL_SHIFT.
read more →

Platform Modernization and AI on Azure Red Hat OpenShift

🔷 At Red Hat Summit 2026, Microsoft and Red Hat highlighted how Azure Red Hat OpenShift supports modernization and production AI by delivering consistent governance, security, and scale. Microsoft was named Platform Modernization Partner of the Year, underscoring joint customer outcomes. Banco Bradesco and Topicus illustrate production AI and regulated lending workloads running on the jointly managed platform. Key advances include OpenShift Virtualization, confidential containers, managed identities, expanded NVIDIA GPU support, and broader regional availability.
read more →

EC2 Instance Store CSI Driver Now Available as EKS Add-on

💾 Amazon EKS now supports the EC2 Instance Store CSI driver as an EKS add-on, and you can install and manage it via the EKS console or AWS CLI. The driver exposes ephemeral NVMe-based instance store volumes as Kubernetes persistent volumes and manages their lifecycle on EC2 hosts. This feature simplifies attaching local instance storage to EKS clusters and is available in all commercial regions.
read more →

Cloud Engineers AI Toolkit: Hands-on Developer Workshops

🤖 Join hands-on developer workshops across North America that teach secure, scalable deployment of agentic AI for enterprises. These sessions are practical, bring-your-laptop labs where Platform, Security, and Data practitioners build end-to-end solutions, including GKE cluster hardening, secure sandboxing, and governed data pipelines. Tracks cover GKE + Data and Data Engineering & Analytics, with guidance from Google experts. Attendees leave with runnable labs and operational best practices to accelerate production adoption.
read more →

Amazon EKS Adds Dynamic Resource Allocation for EFA

🚀Amazon EKS now supports Dynamic Resource Allocation (DRA) for Elastic Fabric Adapter (EFA), simplifying RDMA and high-performance inter-node communication for AI/ML and HPC workloads. The EFA DRA driver, based on the upstream DRANET project, enables topology-aware allocation and EFA interface sharing so network traffic uses the closest NIC to GPUs, Trainium, or Inferentia. It’s recommended for new EKS deployments on Kubernetes 1.34+ and is available in all AWS Regions; the existing EFA device plugin remains supported and is still recommended for use with Karpenter and Amazon EKS Auto Mode.
read more →

Amazon EKS adds one-click cluster access via CloudShell

☁️ Amazon Elastic Kubernetes Service (EKS) now offers one-click cluster access from the AWS Management Console via AWS CloudShell, eliminating the need to install or configure kubectl, AWS CLI, or kubeconfig files locally. From the EKS console, selecting Connect launches a CloudShell session with kubectl pre-configured for the chosen cluster so you can run commands immediately. The feature supports clusters with both public and private API server endpoints and each session also includes the AWS CLI and standard CloudShell utilities for troubleshooting and management.
read more →

GKE Updates at Google Cloud Next ’26: Scale, Security, AI

🚀 At Google Cloud Next ’26, Google unveiled a suite of GKE enhancements focused on large-scale AI and agentic workloads. Highlights include the new GKE Agent Sandbox (gVisor-based isolation for fast, secure sandboxes), private GA of GKE hypercluster to manage millions of accelerators across regions, and inference upgrades like Predictive Latency Boost and KV cache tiering. Preview RL features and intent-based autoscaling on custom metrics further enhance utilization and reliability.
read more →

Amazon EKS Hybrid Nodes gateway simplifies hybrid networking

🔗 Amazon Elastic Kubernetes Service (EKS) introduces the Amazon EKS Hybrid Nodes gateway to automate networking between an EKS cluster VPC and Kubernetes Pods running on EKS Hybrid Nodes. The gateway removes the need to make on‑premises pod networks routable and avoids extensive coordination with network teams by automatically maintaining VPC route tables as workloads scale. Deployed to Amazon EC2 instances via Helm, the gateway also enables control-plane-to-webhook, pod-to-pod, and AWS service connectivity (ALB, NLB, Amazon Managed Service for Prometheus). The codebase is open source and the feature is available in all Regions where EKS Hybrid Nodes is supported, excluding China Regions. AWS offers the gateway itself at no additional charge; customers pay for underlying EC2 and data transfer costs.
read more →

GKE Cloud Storage FUSE Profiles for AI/ML Workload I/O

⚡ GKE’s Cloud Storage FUSE Profiles automate performance tuning for AI/ML workloads by providing pre-defined, dynamically managed StorageClasses optimized for training, serving, and checkpointing. Instead of manually adjusting many mount and CSI options, users select a profile and GKE scans the bucket and node resources to calculate cache sizes and backing media. The CSI driver mounts the volume with those calculated options and dynamically adjusts cache behavior using real-time signals to maximize throughput while protecting node stability.
read more →

Modern Kubernetes Threats and Identity-focused Attacks

🔒 Unit 42 details how widespread Kubernetes attacks—driven by identity theft and exposed services—enable escalation from containers into cloud backends. The report highlights stolen service account tokens and the rapid exploitation of React2Shell (CVE-2025-55182), showing how attackers extract mounted tokens and cloud credentials. Practical mitigations include strict RBAC, short-lived projected tokens, runtime telemetry, and API audit logging. Unit 42 maps these behaviors to MITRE ATT&CK and provides detection examples.
read more →