Kubernetes reports the results of its open-source security audit

All programs need security audits, but the Cloud Native Computing Foundation (CNCF) took a new open-source approach and revealed all to its users.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Unless you've been living under a rock, hardly a day goes by anymore without a new software security problem popping up. The folks at the Cloud Native Computing Foundation (CNCF) certainly have noticed. So, when it came time to give Kubernetes, the most important container orchestration program, a security audit, the CNCF tried an open-source approach for checking it for security problems. 

This wasn't a new idea. That credit goes to the Core Infrastructure Initiative (CII) Best Practices Badge program. Open-source projects that get this badge must show they follow security best practices. The CII used this approach on three other projects: CoreDNS, Envoy, and Prometheus. Then, it used it on the big one: Kubernetes.

Since Kubernetes is a huge project, with functionality running from API gateways to container orchestration to networking and beyond, the CNCF's Third Party Security Audit Working Group with Trail of Bits and Atredis Partners narrowed the audit's scope to eight of Kubernetes' most commonly used components:

  • Kube-apiserver
  • Etcd
  • Kube-scheduler
  • Kube-controller-manager
  • Cloud-controller-manager
  • Kubelet
  • Kube-proxy
  • Container Runtime

What they found is that, while Kubernetes is already widely deployed, it needs a lot of security work. Trail of Bits stated in its report:

"The assessment team found configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls." 

As for the code, it said, "the state of the Kubernetes codebase has significant room for improvement."

Specifically,  the team found 34 significant Kubernetes vulnerabilities: Four were of high severity; 15 medium severity; eight low severity; and seven informational severity. Two of the nastiest bugs have already been fixed in new releases of Kubernetes 1.13.9, 1.14.5, and 1.15.2: CVE-2019-11247, and CVE-2019-11249. The former would enable a user in one namespace to access a resource scoped to a cluster. The latter could allow an attacker to misuse the kubectl cp command to create or replace a file on the client computer. 

Kubernetes users should carefully go over the audit report. There is a lot to be done here to make sure your Kubernetes clusters work safely for you and your customers. 

Still, although the team found a lot of work for both developers and administrators, CNCF is to be complemented to finding and publicly revealing Kubernetes' problems. Now that they're in the open, they can be fixed. As the daily litany of new security holes shows, keeping security concerns quiet helps no one except attackers.

Related Stories:

Editorial standards