Kubernetes 1.34 – Top Security Enhancements 💪 

Kubernetes v1.34 is coming soon, and it brings a rich batch of security upgrades – from alpha features that hint at the future of zero-trust Kubernetes, to mature enhancements making their way into stable releases. Whether you’re managing a production cluster or exploring new security patterns, this release has something worth your attention.

Kubernetes Security – The Ultimate Guide

Dive deep into the ever evolving landscape of Kubernetes security, explore best practices, and discover potential pitfalls.

Learn More

Learn More

🔐 What’s New in Kubernetes 1.34 Security

Built‑in Mutual TLS for Pods (Alpha) 

Pods can now request short-lived X.509 certificates from the Kubernetes API server and use them to authenticate via mutual TLS. This enables a clean and native approach to in-cluster workload identity without relying on external tools or sidecars.

📎 KEP-4317: Pod Certificates

Fine‑Grained Anonymous API Endpoint Control (Stable) 

Rather than disabling anonymous access cluster-wide, you can now configure it to apply only to specific safe paths (like /healthz, /livez, and /readyz). This prevents overly permissive anonymous access while preserving functionality for monitoring and load balancers.

📎 KEP-4633: AnonymousAuthConfigurableEndpoints

RBAC with Field & Label Selectors for List/Delete (Stable) 

You can now restrict access to resources based on selectors in list, watch, and deleteCollection operations. For example, limit a kubelet to view only the pods on its node using spec.nodeName=$NODE.

📎 KEP-4601: Authorizer Request Context Selectors

External JWT Signing via KMS or HSM (Beta) 

ServiceAccount tokens can now be signed using an external KMS or HSM via a new gRPC interface. This improves key security by enabling rotation, offloading signing from the API server, and aligning with compliance needs.

📎 KEP-740: Service Account Token Volume Projection – External Signing

Short-Lived Pod-Scoped Tokens for ImagePull (Beta) 

No more long-lived imagePullSecrets. Kubernetes can now use short-lived, per-pod tokens automatically generated for accessing private registries. These tokens are OIDC-compliant and auto-rotated by the system.

📎 KEP-4412: Pod Service Account Token for Image Pulls

CEL-Based In-Process Mutating Admission Policies (Beta) 

Kubernetes now supports mutating admission policies written using CEL (Common Expression Language) directly in the API server—no external webhook required. This simplifies setup and improves performance while supporting re-evaluation logic.

ARMO’s Kubescape, the CNCF’s Incubating open-source Kubernetes security platform, will enhance its CEL admission control library in the upcoming release to support these new in-process mutating policies. This will allow users to define and enforce mutating admission policies directly within Kubescape, leveraging the same CEL framework as Kubernetes itself.

📎 KEP-3962: CEL for Mutating Admission Policies

OCI Artifact Volumes (Beta) 

You can now mount artifacts stored in OCI registries directly into pods as read-only volumes. This is useful for securely distributing config files, binaries, or ML models without baking them into container images.

📎 KEP-4639: Mounting Artifacts as Volumes

🧠 Why These Changes Matter

🛡️ Final Thoughts

The Kubernetes 1.34 release reflects a growing focus on zero-trust principles, secure defaults, and native, reliable policy enforcement. From in-cluster identities to hardened token workflows and registry access, these updates make it easier for platform teams to deliver secure infrastructure – without reinventing the wheel.

Stay secure, stay curious.

— Brought to you by ARMO, creators of Kubescape, the open-source Kubernetes security platform and one of the leading KSPM solutions.

Quickly ensure your Kubernetes is secured.

Follow this simple checklist and make sure your Kubernetes security is covered in just a few steps.

Read Now

Read Now