Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Kubernetes powers modern application deployments, yet safeguarding its secrets remains a formidable challenge. In a 2024 report, IBM estimated that 16% of data breaches stemmed from compromised credentials, resulting in significant financial losses. The recent attack involving a stolen API key at the U.S. Treasury Department highlights the vulnerability of even well-protected systems.

In the past year alone, the number of artificial intelligence (AI) packages running in workloads grew by almost 500%. Which is to say: AI is everywhere, and it’s settling in for the long haul. Naturally, as helpful as they are, these AI workloads come with security challenges, including data exposure, adversarial attacks, and model manipulation. So as AI adoption accelerates, security leaders must build an AI workload security program to protect their organizations while enabling innovation.

CVE-2025-1974 is a critical remote code execution (RCE) vulnerability in Kubernetes’ Ingress-NGINX Controller that allows unauthenticated attackers with network access to inject arbitrary NGINX configuration directives, potentially leading to full cluster compromise. Ingress-NGINX is a software-only ingress controller provided by the Kubernetes project. Because of its versatility and ease of use, ingress-nginx is quite popular: it is deployed in over 40% of Kubernetes clusters.

When we first launched Project Calico in 2016, we set out to make Kubernetes networking easy, reliable, and scalable for all organizations. Our goal was to abstract away the complexity and performance overheads of other CNI plugins while simultaneously extending Kubernetes network policy to make it easier to secure your Kubernetes workloads.

On March 24, 2025, ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters. Ingress is a Kubernetes feature that defines how workload Pods are exposed to the network, while an Ingress Controller implements those rules by configuring the necessary local or cloud resources. According to Kubernetes, ingress-nginx is deployed in over 40% of Kubernetes clusters.

On March 24, 2025, Wiz Research disclosed a series of critical vulnerabilities in Ingress NGINX Controller for Kubernetes, collectively dubbed: These unauthenticated Remote Code Execution (RCE) vulnerabilities have been assigned a CVSS base score of 9.8. According to Wiz Research, exploitation allows attackers to gain unauthorized access to all secrets across all namespaces in affected Kubernetes clusters, potentially leading to complete cluster takeover.

On Monday, March 24, 2025, a set of critical vulnerabilities affecting the admission controller component of the Ingress NGINX Controller for Kubernetes was announced. In total, five vulnerabilities were announced; the most severe vulnerability, CVE-2025-1974 (CVS 9.8), may result in remote code execution (RCE). Exploitation of this vulnerability can be detected with Sysdig Secure or the Falco rule provided in this article.

Kubernetes has evolved into the industry standard for orchestrating containerized applications. In this article, we break down the architecture of a Kubernetes cluster using practical examples, and code snippets. Whether you’re a beginner or an experienced engineer, you’ll gain clarity on the roles of control plane (historically “master”) and worker nodes, the nuances of multi-control-plane deployments, and updated OpenShift configurations.

Kubernetes has revolutionized how we deploy and manage applications at scale. One of its key components is the way it handles storage – especially when it comes to persistent storage for stateful applications. In this article, we will dive into converting a Persistent Volume Claim (PVC) to a CSI-backed Persistent Volume (PV) and explore various Container Storage Interface (CSI) drivers available for Kubernetes, including AWS EBS, Azure, GlusterFS, and others.