Glossary K

Kubernetes (abbreviated K8s) is an open-source container orchestration platform that automates deploying, scaling, and managing containerized applications. It handles service discovery, load balancing, storage orchestration, and self-healing. K8s has become the de facto standard for running production workloads at scale, supported by every major cloud provider.

Apache Kafka is a distributed event streaming platform designed for high-throughput, durable, and replayable event logs. Kafka topics are partitioned and replicated across brokers, enabling horizontal scaling of both producers and consumers. Kafka is widely used for real-time analytics pipelines, event sourcing, log aggregation, and change data capture (CDC) from databases.

The KEV catalog is maintained by CISA and lists CVEs with confirmed evidence of active exploitation in the wild. U.S. federal agencies are required to remediate KEV entries within mandated timelines; private organizations use it as a prioritization signal. A vulnerability in the KEV catalog is the strongest available indicator that immediate patching is warranted.

Key rotation is the practice of periodically replacing cryptographic keys with new ones to limit the damage from a key compromise and ensure compliance with security policies. Automated key rotation through KMS removes the operational burden and human error associated with manual processes. Rotation frequency should be based on key sensitivity, usage volume, and regulatory requirements.

The Cyber Kill Chain, developed by Lockheed Martin, models an adversary's attack sequence across seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Defenders use it to identify where in the chain they can detect or disrupt an attack. Interrupting an attack at any stage prevents the adversary from achieving their final objective.

A KMS provides centralized generation, storage, rotation, and auditing of cryptographic keys used for data encryption. Cloud KMS offerings (AWS KMS, GCP KMS, Azure Key Vault) integrate with storage services, databases, and applications to provide envelope encryption without exposing raw keys. Proper KMS usage separates key management from data management, limiting exposure in a breach.

A knowledge graph is a structured representation of facts as entities and typed relationships (triples: subject–predicate–object) that enables semantic reasoning and multi-hop inference. Knowledge graphs like Wikidata and enterprise KGs are used in RAG pipelines to provide structured, verifiable context that complements unstructured document retrieval. Graph-augmented generation improves factual precision on complex queries.

KSPM continuously evaluates Kubernetes cluster configurations, RBAC policies, network policies, and workload manifests against security benchmarks like CIS Kubernetes. It detects misconfigurations such as privileged containers, missing pod security standards, and overly permissive service account bindings. KSPM is a specialized discipline within the broader CSPM space.

Kubernetes audit logging records chronological records of all requests processed by the Kubernetes API server, including the user identity, operation, resource affected, and request/response metadata. Audit logs are essential for detecting unauthorized access attempts, RBAC misuse, privilege escalation, and workload modifications in Kubernetes clusters. A well-configured audit policy captures authentication failures, secrets access, and exec/attach operations without generating excessive log volume from routine operations.

Kubernetes RBAC controls access to Kubernetes API resources through Roles (namespace-scoped) and ClusterRoles (cluster-scoped) bound to users, groups, or service accounts. Security misconfigurations in Kubernetes RBAC — such as granting wildcard permissions, allowing `create` on pods or deployments without image restrictions, or binding service accounts to ClusterAdmin — are common privilege escalation paths. Regular RBAC audits and tools like kubectl-who-can help identify overly permissive bindings.

Kustomize is a Kubernetes-native configuration management tool that allows teams to customize Kubernetes YAML manifests without templates. It uses a base + overlays approach where environment-specific patches are applied on top of a shared base configuration. Kustomize is built into kubectl and integrates natively with ArgoCD and FluxCD for GitOps workflows.

Kyverno is a Kubernetes-native policy engine that validates, mutates, and generates Kubernetes resources using policies written in YAML rather than a separate policy language. Security teams use Kyverno to enforce controls like requiring pod security contexts, auto-injecting sidecar containers, restricting image registries, and generating default NetworkPolicies for new namespaces. Its Kubernetes-native approach lowers the barrier to entry compared to OPA Gatekeeper's Rego language.