The problem is in intersection of nginx-ingress and kubernetes. Since ingress controller has access to secrets from all the namespaces (which is kubernetes side of the story) the nginx implementation with snippets added by users (the nginx contribution) may expose these secrets. The post also points to an open source tool that helps people to check if they are vulnerable, whether they want to get to the bottom of the issue or not.

I know nearly nothing about ARMO, and I have nothing against you, the company you founded and are CTO of (ARMO), or ARMO providing an open source tool. I appreciate that you have made this work open source.

Still, some of us on hackernews dislike advertising. I 100% agree with everything you've written in this comment, but as I mentioned in the comment you're replying to, the GitHub issue also contains an ad for the same tool - it just doesn't make it front and center, allows for any competitors to make their own comments on an open platform, and it feels less biased. Less advertisey.

Instead of "install our product", it could have been something like "run this thing specific to this exact vulnerability that does the absolute bare minimum. Oh, btw, if you liked that, you should check out our product that does much more, kubescape"

But as it stands now, it just feels different

While I understand the concern with curl | bash, this method is used in many different open source product installations. The sh file is coming from github - pretty trustful source. You can always watch it in the browser (github will not trick you into different version) but you can also curl it or just download the source from the repository (just half a page above). You can also always review and rebuild the entire tool - another beauty of the open source. But most people just want to use the tool as fast and as simple as it can be. I guess there are options for any possible taste.

while "official" hostPath feature is intended to provide the same result, it is being watched by practically all security and compliance tools, so such access can't go unnoticed. With the subPath abuse attackers can obtain complete host file system access undetected. So it is really urgent to start scanning for this vulnerability and potential exploits until your Kubernetes version is upgraded.

Any universal platform or toolkit is overengineered somewhat (or a lot), but this is the name of the game. Flexibility comes at the price forcing you to invest into configuration, automation, deployment and maintenance. Then security comes to close the gaps. Every player in this game is honestly trying to be better and help others. Kubernetes is a fact of life and rightfully so. It needs helper tools in several areas. Security is just one of them and Kubescape is just a one step of many...

Well, this is exactly why it's the open source. You can build everything yourself, check the scripts etc. At the end of the day all these tools are intended to help people find issues as early as possible.

CIS is very prescriptive. It gives you a list of very specific checks with very little context. NSA, on the other hand, explains the problems and potential attack vectors allowing you to adjust and extend the checks to your specific needs.