Mirantis Selected as Software Infrastructure Partner for NVIDIA AI Factory for Government   |  Learn More

Contact Us
Docs
Store
Partners
Training
Public Sector
Platform
k0rdent AI

k0rdent AI: Provision multi-tenanted AI-ready infrastructure and core services

WHY k0RDENT
VIDEO: Run Anywhere. Automate Everything. k0rdent in 30 seconds.
Nebul case study icon

Nebul: Delivering Sovereign AI Clouds for European Enterprises

Discover how a neocloud uses Mirantis k0rdent AI to achieve "shared nothing" security without the pain of Kubernetes sprawl.

Solutions

FROM METAL-TO-MODEL™

IaaS

Unifed infrastructure automation

  • Multi-Cluster

  • Hybrid Multicloud

  • Workload Migration

  • Virtualization

  • Private Clouds

GPU PaaS

GPU provisioning & partitioning

  • AI Cloud

  • Sovereign Cloud

  • Enterprise AI Factory

AI PaaS

Training, inference & self-service AI

  • Turnkey Training

  • Turnkey Inference

  • Self-Service Portals

Services
Modern Application Delivery
App Modernization
Cloud Platform Operations
AI Inferencing Platform
Workload Migration
MCP AdaptiveOps
Enterprise Support
Resources

KNOWLEDGE BASE

Resource Library
Blog
Case Studies
Cloud Native Cookbook
Guided Demos
Tech Talks
Videos
Webinars

COMPANY

About
Press Releases
Careers
Leadership
Events
GET STARTED
< BLOG HOME

Security Debt in Kubernetes: Why Rancher’s CVEs Require a New Path Forward

Edward Ionel - July 29, 2025
- security debt, Kubernetes, MKE4k, security, FIPS, Rancher, rbac, kubernetes security
Cracked Kubernetes Shield

Kubernetes is the de facto operating system for modern infrastructure and gives businesses flexibility to deploy the next generation of modern applications. It promises agility and scale, but there’s an unspoken truth: security debt. When you rely on management tools built with implicit trust models, vulnerabilities are not just bugs. They are ticking time bombs that can impact your infrastructure, applications, and entire business.

The Kubernetes community uncovered a critical flaw in SUSE Rancher (CVE-2021-36782, CVSS 10.0). Sensitive fields like API keys, service account tokens, and cloud credentials were stored in plaintext inside Kubernetes objects (cluster.management.cattle.io). Anyone with API read access could escalate privileges and compromise workloads. Although Rancher & SUSE made the appropriate changes to fix these vulnerabilities, this is a zero-tolerance issue and raises significant concerns on their ability to deliver highly secure enterprise Kubernetes platforms. 

Due to this vulnerability, administrators had to scramble to upgrade, rotate tokens, and hunt down leaked secrets. And as we all know, leaked secrets are no joke. 

Because of this, businesses have decided to rethink their Kubernetes strategy and adopt platforms that are secure by design and built to scale.

The Rancher CVE: Anatomy of Security Debt

In Rancher versions 2.5.0 to 2.5.15 and 2.6.0 to 2.6.6, fields like serviceAccountToken, Notifier.SMTPConfig.Password, and Cluster.Spec...SecretKey were left unhashed in Kubernetes object manifests. Anyone with API read access could pivot across workloads and exploit leaked cloud provider secrets.

Even after patching in versions 2.5.16 and 2.6.7, mitigation of this vulnerability required organizations to audit clusters, rotate tokens, migrate secrets, and revoke compromised credentials – lots of work, very time-consuming, none of it helping organizations deliver value faster. Depending on organization scale, much of the work required to mitigate this CVE doubtless ended up as manual labor – itself error-prone, and out of step with modern, automate-everything operations principles. For enterprises managing hundreds of clusters, dealing with this CVE was, in other words, a nightmare. This is security debt in motion.

Rearchitecting Kubernetes: MKE 4k and k0s

Mirantis reimagined Kubernetes with security and scalability built in. Using a zero-trust architecture and CNCF-aligned components, MKE 4k and k0s create platforms that assume nothing and secure everything by default. Ensuring that businesses have a secure enterprise ready environment to deploy modern applications at scale. 

MKE 4k: Enterprise-Grade, Composable, Secure

  • FIPS 140-2 validated encryption across control and data planes.

  • Composable open source architecture based on k0s and CNCF components. No vendor lock-in.

  • Declarative GitOps lifecycle with drift correction via MKE Operator.

  • Built-in security stack including Calico CNI, NGINX ingress, Velero backups, and KMS secret encryption.

  • Granular RBAC and Dex integration for OAuth, OIDC, SAML, and LDAP authentication.

k0s: Lightweight, Secure, Zero Friction

  • Single-binary architecture reduces attack surface and supply chain risk.

  • Automatic TLS bootstrapping and CIS benchmark support.

  • Air-gapped deployment ready for edge and high-security environments.

  • Fast lifecycle operations with k0sctl automation.

From Vulnerability to Victory: Why It Matters

Eliminate secret leakage by design: MKE4k and k0s encrypt all sensitive fields automatically. No plaintext. No panic. Secure Kubernetes by default. 

Automate lifecycle and drift management: Upgrades and config corrections are declarative, reducing toil and increasing trust.

Ensure compliance out of the box: FIPS and CIS benchmarks are built in. No last-minute audit fire drills.

Scale securely, anywhere: Whether edge, multi-cloud, or on-premises, Mirantis platforms replicate trusted environments quickly.

Get Started with Mirantis Kubernetes Solutions

Ready to secure and simplify your Kubernetes infrastructure? Explore Mirantis Kubernetes Engine 4k for enterprise-grade security and composability, or try k0s in your lab for a lightweight, secure, zero-friction Kubernetes experience. Need expert guidance? Book a demo to see MKE 4k in action, or request a security posture comparison between Rancher, MKE 4k, and k0s to make an informed decision.

The Bottom Line

Rancher’s CVEs are a case study in security debt. Upgrading is a temporary fix. The next step is adopting platforms with security and automation baked in.

MKE 4k and k0s help you deliver modern applications at scale with no compromise. No plaintext. No firefighting. Just clean architecture that scales.


Recommended posts

Eliminate Dual Infrastructure Overhead with Mirantis k0rdent Enterprise to Unify VM and Container Management

Eliminate Dual Infrastructure Overhead with Mirantis k0rdent Enterprise to Unify VM and Container Management

READ NOW
Accelerating Federal AI Adoption with Secure, Compliant AI Infrastructure as Part of NVIDIA AI Factory for Government

Accelerating Federal AI Adoption with Secure, Compliant AI Infrastructure as Part of NVIDIA AI Factory for Government

READ NOW
Agentic AI Frameworks: Building Custom Agents

Agentic AI Frameworks: Building Custom Agents

READ NOW

Edward Ionel

Head of Growth

Mirantis simplifies Kubernetes.

From the world’s most popular Kubernetes IDE to fully managed services and training, we can help you at every step of your K8s journey.

Connect with a Mirantis expert to learn how we can help you.

CONTACT US
k8s-callout-bg.png
cloud-native-coffee-sidebar

Join Our Exclusive Newsletter

Get cloud-native insights and expert commentary straight to your inbox.

SUBSCRIBE NOW
k0s-sidebar

OPEN SOURCE:

Get started with k0s

Zero-friction Kubernetes for any infrastructure.

GET STARTED
technology-saas-sidebar

SOLUTIONS:

Technology & SaaS

One-stop Kubernetes solutions to accelerate innovation.

LEARN MORE
Mirantis logo
  • Linkedin Icon
  • Facebook Icon
  • Youtube Icon
  • X Icon

900 E Hamilton Avenue
Suite 650
Campbell, CA 95008
+1-650-963-9828

Privacy Policy

Do Not Sell My Information

UK Modern Slavery Act Statement

Why k0rdent?
Products
Open Source
Solutions
Services
Knowledge Base
Company

© 2005 - 2025 Mirantis, Inc. All rights reserved. “Mirantis” and “FUEL” are registered trademarks of Mirantis, Inc. All other trademarks are the property of their respective owners.