All news with #kubernetes security tag

🚀 Google Cloud demonstrates how Google Kubernetes Engine (GKE) can form a high-performance foundation for telco modernization via two complementary paths: cloud-centric evolution for full cloud migration and strategic hybrid modernization to retain local control over latency-sensitive functions. The post highlights carrier-grade enhancements—multi-networking API, simulated L2, a telco CNI, persistent IP, and GKE IP route—with sub-second convergence and HA Policy to minimize downtime. It frames modernization as a means to enable predictive AIOps, intent-driven automation, faster time-to-market, and new monetization opportunities through AI and data platforms.

🔒 New Kubernetes clusters are probed and often attacked within minutes, with honeypots run by Palo Alto Networks, Wiz and Aqua Security showing initial compromise attempts in roughly twenty minutes and repeated automated scans against container ports. The platform's permissive defaults and complex model make standard cloud controls insufficient. Organizations should adopt Kubernetes-specific controls: harden and automate RBAC, isolate workloads with network and namespace policies, store secrets in dedicated key management services, perform regular audits, and train developers on platform-specific threats and secure CI/CD practices.

🔓 Amazon EKS Node Monitoring Agent is now open source on GitHub, giving operators visibility into the agent's implementation and the ability to contribute or customize its behavior. The agent automatically monitors node-level system, storage, networking, and accelerator issues and publishes them as node conditions used by Amazon EKS for automatic node repair. It is included in Amazon EKS Auto Mode and available as an add-on in all AWS Regions. Cluster administrators can inspect, adapt, and participate in the agent's ongoing development to better fit their operational needs.

🚨 Researchers warn of a massive, worm-driven campaign by TeamPCP that began around December 25, 2025, systematically compromising cloud-native environments. The group abused exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and a critical React2Shell vulnerability (CVE-2025-55182) to deploy proxy, scanning, and C2 infrastructure. Compromised hosts are used for persistence, data exfiltration, extortion, crypto-mining, and proxy/C2 relays, with tooling tailored to Kubernetes and AWS/Azure deployments.

⚠ Four vulnerabilities were disclosed in the open source Ingress NGINX controller used in Kubernetes, with two rated CVSS 8.8. CVE-2026-1580 can enable authentication bypass when a misconfigured custom-errors backend ignores the X-Code header, and CVE-2026-24512 allows configuration injection via rules.http.paths.path, enabling code execution and secret disclosure. The other two issues pose lower or medium risks, including a potential DoS. Affected releases are 1.13.7 and below and 1.14.3 and below, and the only reliable mitigation is upgrading or migrating before Ingress NGINX reaches end of support.

🚀 AWS Batch now supports unmanaged compute environments on Amazon EKS, extending Batch's job scheduling and orchestration to clusters you manage directly. You can create compute environments via the CreateComputeEnvironment API or the AWS Batch console by selecting an existing EKS cluster and specifying a Kubernetes namespace, then associate nodes using kubectl labels. This option preserves customer control over Kubernetes infrastructure for security, compliance, or operational requirements and is available today in all regions where AWS Batch operates.

🔍 A newly identified cloud-native Linux malware framework named VoidLink targets modern cloud and container environments, providing custom loaders, implants, rootkits, and memory-loaded plugins. According to Check Point, it is written in Zig, Go, and C and adapts behavior based on Kubernetes, Docker, and cloud metadata queries. Communications can use HTTP, WebSocket, DNS tunneling, or ICMP encapsulated in a custom encrypted layer VoidStream, and the framework includes extensive anti-forensics and runtime protections. Analysts assess it appears under active development and may be a commercial or customer-targeted framework rather than evidence of a current widespread campaign.

🔐 Amazon EKS now offers centralized network policy controls with ClusterNetworkPolicy and DNS-based egress filtering to improve protection for Kubernetes workloads and their external integrations. These enhancements build on existing Kubernetes NetworkPolicies in the Amazon VPC CNI and enable cluster-wide enforcement of access filters. The features are available for new EKS clusters running Kubernetes 1.29+ in all commercial AWS Regions; support for existing clusters will follow. ClusterNetworkPolicy requires VPC CNI v1.21.0+, while DNS-based policies are supported in EKS Auto Mode-launched EC2 instances.

🔒 The Cortex Cloud team at Palo Alto Networks is hosting a technical webinar that dissects three recent cloud investigations and demonstrates practical defenses. Speakers will reveal the mechanics of AWS identity misconfigurations, techniques attackers use to hide malicious artifacts by mimicking AI model naming, and how overprivileged Kubernetes entities are abused. The session emphasizes Code-to-Cloud detection, runtime intelligence, and audit-log analysis to close visibility gaps; register to attend the live deep dive.

🔍 This post previews Google's new design recommendation for leveraging GKE's flat network, explaining how it differs from island-mode networking and how teams can adapt existing architectures. It highlights recommended patterns and a reference design that emulates island-mode behavior within the flat model. The guidance focuses on IP address management, scalability, and integration points to ease migration for critical workloads such as generative AI.

🚀 Amazon EKS Capabilities is now generally available, offering a fully managed, extensible set of Kubernetes-native platform features that offload operations to AWS. The capabilities run in AWS-owned infrastructure separate from customer clusters and AWS handles autoscaling, patching, and upgrades. Launch features include Argo CD for continuous deployment, AWS Controllers for Kubernetes (ACK) for resource management, and Kube Resource Orchestrator (KRO) for dynamic orchestration.

🛠️ Amazon SageMaker HyperPod now supports custom Kubernetes labels and taints configured at the instance group level via the CreateCluster and UpdateCluster APIs. You can specify up to 50 labels and 50 taints per instance group using the KubernetesConfig parameter. HyperPod automatically applies and preserves these settings across node creation, replacement, scaling, and patching, eliminating manual kubectl work and ensuring device plugin pods (EFA, NVIDIA) schedule correctly while allowing NoSchedule taints to protect costly GPU nodes.

🔧 The Amazon SageMaker AI MCP Server now provides tools to set up and manage HyperPod clusters, allowing AI coding assistants to provision and operate clusters for distributed training, fine‑tuning, and deployment. It automates prerequisites and orchestrates clusters via Amazon EKS or Slurm with CloudFormation templates that optimize networking, storage, and compute. The server also delivers lifecycle operations — scaling, patching, diagnostics — so administrators and data scientists can manage large-scale AI/ML clusters without deep infrastructure expertise.

⚠️ Researchers disclosed five vulnerabilities in Fluent Bit, the open-source telemetry agent, that can be chained to bypass authentication, write or overwrite files, execute code, corrupt logs, and cause denial-of-service conditions. CERT/CC noted many issues require network access, and fixes were released in Fluent Bit 4.1.1 and 4.0.12 with AWS participating in coordinated disclosure. Operators are urged to update immediately and apply mitigations such as avoiding dynamic tags, mounting configs read-only, and running the agent as a non-root user.

⚠ Three high-severity vulnerabilities in the runc container runtime allow attackers to escape containers and gain host-level privileges by abusing masked paths, console bind-mounts, and redirected writes to procfs. Aleksa Sarai of SUSE and the OCI described logic flaws that let runc mount or write to sensitive /proc targets, including /proc/sys/kernel/core_pattern and /proc/sysrq-trigger. Patches are available in runc 1.2.8, 1.3.3 and 1.4.0-rc.3; administrators should update promptly, favor rootless containers where feasible, and monitor for suspicious symlink behaviour.

🔁 Google and the Kubernetes community introduced control-plane minor-version rollback in Kubernetes 1.33, giving operators a safe, observable path to revert control-plane upgrades. The new KEP-4330 emulated-version model separates binary upgrades from API and storage transitions into a two-step process, enabling validation before committing changes. This capability is available in open-source Kubernetes and will be generally available in GKE 1.33 soon, reducing upgrade risk and shortening recovery time from unexpected regressions.

🚀 Google Cloud and Anyscale describe tighter integration between Ray and Kubernetes to improve distributed AI scheduling and autoscaling on GKE. The release introduces a Ray Label Selector API (Ray v2.49) to align task, actor and placement-group placement with Kubernetes labels and GKE custom compute classes, enabling targeted placement and fallback strategies for GPUs and markets. It also adds Dynamic Resource Allocation for A4X/GB200 racks, writable cgroups for Ray resource isolation on GKE v1.34+, TPU/JAX training support via a JAXTrainer in Ray v2.49, and in-place pod resizing (Kubernetes v1.33) for vertical autoscaling and higher efficiency.

🔐 Dataproc 2.3 on Google Compute Engine provides a streamlined image that includes only the essential core components for Spark and Hadoop, reducing the attack surface and simplifying compliance. The image is FedRAMP High compliant and leverages both automated CVE remediation and manual engineering intervention for complex fixes. Optional tools like Flink, Hudi, Ranger, and Zeppelin are available on-demand during cluster creation, or can be pre-baked into custom images to speed provisioning while preserving the security benefits of the lightweight base.

🛡️ AWS has published a new whitepaper titled Security Overview of Amazon EKS Auto Mode that explains the service’s architecture, core security principles, and built-in protections. The guidance highlights a new approach to node management that leverages Amazon EC2 managed instances to let customers delegate operational control to AWS. Intended for cloud architects, security professionals, and Kubernetes practitioners, the document helps teams understand how EKS Auto Mode reduces infrastructure complexity while maintaining secure operations.

🚀 Managed Lustre on GKE is a managed parallel file system with a CSI driver that brings low-latency, high-throughput POSIX storage to Kubernetes for demanding AI and HPC workloads. It is recommended for training, checkpointing, and small-file patterns where GPUs/TPUs must stay utilized, while Cloud Storage is an alternative for large, higher-latency files. The article presents five operational best practices—data locality, tiering, networking, provisioning, and using Kubernetes Jobs with a shared PVC—to maximize performance and control costs.