Kubernetes IngressNightmare: Wake Up and Fight Back with Microsegmentation

Akamai Wave Blue

Written by

Yaniv Zadok and Jacob Abrams

May 07, 2025

Author pic

Written by

Yaniv Zadok

Yaniv Zadok is a Product Manager at Akamai for the Zero Trust security products, specifically Akamai Guardicore Segmentation, focusing on protecting containers and their orchestration platforms with microsegmentation.

Jacob Abrams headshot

Written by

Jacob Abrams

Jacob Abrams is a Product Marketing Manager at Akamai working with the Zero Trust security products, specifically Akamai Guardicore Segmentation. Prior to Akamai, he worked with Israeli tech startups to generate sales pipeline and facilitate marketing content creation and promotion. He is based in Somerville, MA.

Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.
Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.

It’s every DevOps engineer’s nightmare: waking up to another critical Kubernetes vulnerability that compromises the gateway to your cluster. This time, however, the nightmare is real.

IngressNightmare — what you need to know

In the ever-evolving world of Kubernetes, vulnerabilities are bound to occur. Recently, a new set of critical vulnerabilities that affect the Kubernetes Ingress-NGINX controller has surfaced, which impacts a massive portion of cloud native environments and exposes them to unauthenticated remote code execution (RCE).

These vulnerabilities — CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974 — allow attackers to compromise Kubernetes workloads and potentially gain cluster-wide access. And with more than 40% of environments exposed, this is no niche issue.

But here’s the uncomfortable truth: Though the maintainers of Kubernetes have already released patches for these vulnerabilities, patching is not always immediate.

Kubernetes clusters can be running legacy applications, sensitive workloads, or they could be bound by change control processes that delay mitigation. In the interim, attackers can thrive in those windows of opportunity.

Why microsegmentation matters more than ever

At Akamai, we believe security should not end at the perimeter. Modern attackers don’t stop at the first pod or node they compromise — they move laterally, escalate privileges, and go after the control plane, secrets, and high-value data.

That’s where microsegmentation comes in.

Get Zero Trust segmentation for Kubernetes

Ideally, even if an attacker makes it past the ingress controller, they should be met with a wall of segmentation that limits their movement and blocks escalation paths. Akamai helps our customers make that happen with real-time visibility, granular policy enforcement, and Zero Trust enforcement.

Real-time visibility — know what’s talking to what

Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.

  • Akamai Guardicore Segmentation provides real-time traffic visualization, showing pod-to-pod, namespace-to-namespace, and service-to-service communication

  • You’ll immediately see if unauthorized changes have been made to Ingress resources or if a compromised pod starts scanning the network

Think of it as your cluster's security radar, showing you what’s coming before it hits.

Granular policy enforcement — not just north-south

Most security tools just look at ingress and egress, but Akamai Guardicore Segmentation goes deeper by allowing you to control east-west traffic inside the cluster. With that level of granularity, security policies can then be created quickly to:

  • Enforce namespace-level or workload-level segmentation

  • Restrict which services can talk to one another — even within the same namespace

  • Protect the Kubernetes control plane, API server, and etcd from internal threats

By using Akamai Guardicore Segmentation to create and enforce these policies, even if a pod becomes compromised via IngressNightmare, the threat cannot reach other sensitive workloads or APIs.

Zero Trust enforcement — verify everything

At Akamai, we believe a Zero Trust approach is the best way to secure Kubernetes deployments. And we believe that microsegmentation is the best way to implement those Zero Trust principles, such as:

  • No pod should be able to talk to another pod by default just because it’s on the same network

  • No namespace should reach external APIs unless explicitly allowed

  • Strict verification of every connection should be enforced, based on identity, labels, and policy — not based on IP alone

By ensuring that only explicitly authorized connections are allowed, based on identity and intent — not network proximity — you can prevent a small vulnerability from turning into a full-blown security event.

Turn the nightmare into a dream

We can’t stop vulnerabilities like IngressNightmare from being exploited. But we can help make sure that when the next one hits, your blast radius is near zero.

If you're running Kubernetes in production, this is your wake-up call. Now is the time to:

  • Audit your east-west traffic

  • Enforce microsegmentation around critical components

  • Visualize ingress exposure points

  • Stop lateral movement before it starts

Akamai is here to help you secure your clusters every step of the way.

Ready to see it in action?

Get in touch with us for a Kubernetes security assessment, and we’ll show you exactly where your risks lie — and how to fix them before attackers get there first.

Let’s transform your Kubernetes security from a potential nightmare into a dream come true.



Akamai Wave Blue

Written by

Yaniv Zadok and Jacob Abrams

May 07, 2025

Author pic

Written by

Yaniv Zadok

Yaniv Zadok is a Product Manager at Akamai for the Zero Trust security products, specifically Akamai Guardicore Segmentation, focusing on protecting containers and their orchestration platforms with microsegmentation.

Jacob Abrams headshot

Written by

Jacob Abrams

Jacob Abrams is a Product Marketing Manager at Akamai working with the Zero Trust security products, specifically Akamai Guardicore Segmentation. Prior to Akamai, he worked with Israeli tech startups to generate sales pipeline and facilitate marketing content creation and promotion. He is based in Somerville, MA.