Saphy is ready for her Christmas lunch
| Personal Site | https://www.mccune.org.uk/ |
| Blog | https://raesene.github.io/ |
| Container Security Site | https://www.container-security.site |
| GitHub | https://github.com/raesene/ |
Rory McCune
@raesene@infosec.exchange
- 1,018 Followers
- 335 Following
- 764 Posts
Containers, Security, Kubernetes, Hillwalking
Cloud Native RejektsCloud Native Rejekts is continuing and the community is leading the way! 🚀 We’ve made the decision to support Rejekts Amsterdam on March 21st, fully community‑organized 🇳🇱
📣 The CFP is now open! https://sessionize.com/cloud-native-rejekts-eu-2026
Please submit, share, and encourage others to get involved.
Rejekts will be locally organized by a team of volunteers. If you want to help organize Amsterdam, now’s the time to define event roles, promote the CFP, talk to sponsors, and start scouting venues & A/V. The CNR team will collaborate with event orgs in the new year.
Thank you to everyone for the passion, care, and commitment you've shown. Rejekts deserves a future that’s stable, inclusive, authentic, and truly community-driven. 💜
The Cloud Native Rejekts team
One of the wild things about #Kubernetes is the variation in configurations between distributions.
An odd one is that microk8s from Canonical, doesn't enable RBAC out of the box.
Even if you read their "getting started" tutorial, there's no mention of enabling it in the "important addons" section https://ubuntu.com/tutorials/install-a-local-kubernetes-with-microk8s#3-enable-addons !!
Now they did disable anonymous access by default, so no unauthenticated RCE, but it does mean that any workload deployed to the cluster gets automatic cluster-admin rights .... which is not great for a distribution billed as "the go-to platform for mission-critical workloads"
So, some time ago I was playing with the idea of adding tracking to container images (https://raesene.github.io/blog/2023/02/11/Fun-with-Containers-adding-tracking-to-your-images/) .
the idea is that you add a URL to the config section of an OCI image and then whenever the image gets pulled, the URL gets called.
I can't remember exactly where I uploaded the image with the canary token in it, but someone's been pulling that image regularly for a while now and I get a ping whenever they do :)
@shodan Just wondering, are there any plans at your end to update the Kubernetes scan data you've got? At the moment searches like https://www.shodan.io/search/facet?query=product%3A%22Kubernetes%22&facet=version are pretty out of date, it'd be cool to see the up to date picture!
We've got a new blog out looking at #Kubernetes versions in use in real-world clusters, and it's actually quite good news from a security perspective.
With the addition of extended support for the major managed Kubernetes distributions, it looks like most of the cluster's were seeing are running on supported versions. That's quite an improvement over the last couple of years.
https://securitylabs.datadoghq.com/articles/a-2025-look-at-real-world-kubernetes-adoption/
Three high severity CVEs in runc announced today https://seclists.org/oss-sec/2025/q4/138, which present a risk of container escape, worth making sure you're patching!
It's not necessarily widely known but runc is a core component in most Kubernetes clusters. Often times you don't install it directly but get it as part of other packages like containerd, but it is there launching all the containers in your cluster.
From a first read through of the advisories, one quote that particularly resonated with me :-
"it is very difficult, if not impossible, to run an untrusted program with root privileges safely."
It's been good advice for a long time to run containers as a non-root user and even where the container needs to run as root, with user namespace support available in Kubernetes, it's a lot easier to avoid the risks of running containers as the host root user!
Ian Coldwater 👻🌿Kubernetes SIG Security is updating the OWASP Top 10 for Kubernetes, and we're seeking community input on it!


What do you think should be included? Fill out our survey here!


https://docs.google.com/forms/d/e/1FAIpQLScL-yznr-YqGdg9SIcToptVPw9qEy7eUPZDefSSvhDT6aMjWQ/viewform
OWASP Kubernetes Top 10 2025 Survey
Kubernetes SIG Security Docs subproject is starting an update of the OWASP Kubernetes Top 10 and as such want to canvas ideas on what should be included. The goal of the Top 10 is to provide awareness on the most serious risks that Kubernetes cluster operators should consider when deploying and managing Kubernetes. The Survey below includes a number of options for areas which could be included in the Top 10. Please rate each according to your experience from 1 (least important to include in top 10) to 5 (most important to include in the Top 10). We've also got a free form section at the bottom for any comments or other ideas, and we're also available in #SIG-Security-Docs on Kubernetes slack or #project-k8s-top10 on OWASP Slack.
You've got just over a week to contribute feedback for the new OWASP Kubernetes Top 10 https://docs.google.com/forms/d/e/1FAIpQLScL-yznr-YqGdg9SIcToptVPw9qEy7eUPZDefSSvhDT6aMjWQ/viewform . Thanks to all the people who have taken the time to contribute already!
OWASP Kubernetes Top 10 2025 Survey
Kubernetes SIG Security Docs subproject is starting an update of the OWASP Kubernetes Top 10 and as such want to canvas ideas on what should be included. The goal of the Top 10 is to provide awareness on the most serious risks that Kubernetes cluster operators should consider when deploying and managing Kubernetes. The Survey below includes a number of options for areas which could be included in the Top 10. Please rate each according to your experience from 1 (least important to include in top 10) to 5 (most important to include in the Top 10). We've also got a free form section at the bottom for any comments or other ideas, and we're also available in #SIG-Security-Docs on Kubernetes slack or #project-k8s-top10 on OWASP Slack.