The implicitly merged group information from /etc/group in the container image poses a security risk. These implicit GIDs can't be detected or validated by policy engines because there's no record of them in the Pod manifest. This can lead to unexpected access control issues, particularly when accessing volumes (see kubernetes/kubernetes#112879 for details) because file permission is controlled by UID/GIDs in Linux.
Kubernetes v1.35: Fine-grained Supplemental Groups Control Graduates to GA… CVE records for a few older, unfixed issues incorrectly include a fixed version field. The Kubernetes Security Response Committee SRC will correct the affected CVE records on June 1, 2026. …
… Example: a namespaced on-call debug Role apiVersion : rbac.authorization.k8s.io/v1 kind : Role metadata : name : oncall-debug namespace : rules : Discover what’s running - apiGroups : "" resources : "pods" , "events" verbs : "get" , "list" , "watch" Read logs - apiGroups : "" resources : "pods/log"… …
… Here's an example; a Pod manifest that specifies spec.securityContext.runAsUser: 1000 , spec.securityContext.runAsGroup: 3000 and spec.securityContext.supplementalGroups: 4000 as part of the Pod's security context. apiVersion : v1 kind : Pod metadata : name : implicit-groups-example spec : security… …
… Updates: We've been keeping up with security updates, regularly updating dependencies and addressing upstream security issues. We tightened the Helm chart's default security context and fixed a regression that broke the plugin manager. …
… One of them is specified by full path, and the other, get-identity is just a basename. …
… Stable identity : Coordinated multi-agent systems require stable networking. Every Sandbox is given a stable hostname and network identity, allowing distinct agents to discover and communicate with each other seamlessly. …
… While certain issues still require direct node access, issues with the kube-proxy or kubelet can be diagnosed by inspecting their logs. …
… Further reading KEP: Speed up SELinux volume relabeling using mounts SELinux Volume Relabeling Feature Gates Story 3: cluster upgrade Configure a security context for a Pod — Efficient SELinux volume relabeling and selinux-warning-controller Acknowledgements If you run into issues, have feedback, o…
… Granting access to it is a security risk, so ensure you have the appropriate administrative permissions before executing these commands. …
… Additionally, the imagePullCredentialsVerificationPolicy flag allows operators to configure the desired security level, ranging from a mode that prioritizes backward compatibility to a strict enforcement mode that offers maximum security. …