Kyverno - a CNCF policy engine for Kubernetes - just dropped a critical one: CVE-2026-22039. It lets limited-access users jump namespaces by hijacking Kyverno's cluster-wide ServiceAccount through crafty use of policy context variable substitution. Think privilege escalation without breaking a sweat. Isolation? Poof.
Bigger picture: This puts Kubernetes admission controllers back under the spotlight. They're powerful, sure. But that also makes them a shaky foundation for trust. Time to tighten RBAC and audit those policy validations like it actually matters.
