Results of the KEDA security engagement

Community post by Amir Montazery, OSTIF, cross-posted from OSTIF’s blog

KEDA, or the Kubernetes-based Event Driven Autoscaling project, was reviewed by Trail of Bits at the end of 2022. KEDA joins a growing list of CNCF Projects audited to improve security posture and help reach graduated status thanks to strategic partner OSTIF. A combination of threat modeling, manual code review, and automated testing tools were used for this engagement. 

The audit uncovered one significant flaw in Redis Scalers that could impact system confidentiality, integrity, or availability. The issue had to do with Cryptography and circumventing TLS, allowing for potential MitM attacks. An overview of the findings and security improvements can be found below:

Remediation Updates Based on Audit Findings

1. https://github.com/kedacore/keda/pull/3966.
2. https://github.com/kedacore/keda/pull/3989.
3. Addressed via https://github.com/kedacore/keda/pull/4091. This Prometheus server has been deprecated and will be removed entirely in 2 releases according to the project’s deprecation policy in favor of operator’s Prometheus server (from operator-sdk).
4.  https://github.com/kedacore/keda/pull/3985.
5.  https://github.com/kedacore/keda/pull/4007.
6.  https://github.com/kedacore/keda/pull/4006.
7. Remediated by first adding CodeQL with `security-and-quality` queries enabled and also fixing the reported issues: (1) https://github.com/kedacore/keda/pull/4133 and (2) https://github.com/kedacore/keda/pull/4142.
8. Remediated due to fixes implemented for Audit Finding #3.

Tooling Updates and Security Posture Improvements

1. Introduced semgrep as tool (with GitHub integration) with all golang rules enabled + https://github.com/dgryski/semgrep-go rules, and also 2 custom rules, one for detecting the connection string (as proposed by audit team) and another one for detecting wrong error wrappings (to play around the tool and check how it works). A majority of the rules are in comment mode to detect them in PRs and suggest changes, and in parallel have been fixing all the alerts detected, as seen in https://github.com/kedacore/keda/pull/3998

2. Another important security improvement is the cert management. TLS certificates have been introduced for for all KEDA communications (between the k8s API server and the metrics server, between the k8s API server and webhooks and between KEDA operator and KEDA metrics server) and for authenticate KEDA metrics server in KEDA operator gRCP server (the server exposes a TLS endpoint and requires TLS client authentication).

“With KEDA, we strive to provide a secure application autoscaling solution by using an extensive suite of security tools and offer our end-users various ways to authenticate to their dependencies and meet corporate requirements. Thanks to the audit we were able to patch some minor vulnerabilities and increase our existing security toolchain to prevent new vulnerabilities from being introduced.”

• Tom Kerkhove – KEDA Maintainer, Senior Software Engineer at Microsoft 

“We greatly appreciate OSTIF and Trail of Bits for their thorough security audit of KEDA and for the excellent cooperation we received. The KEDA community is constantly striving to make the project better and more secure for our users, the insights provided in the audit will help us achieve that.”

• Zbynek Roubalik – KEDA Maintainer, Principal Software Engineer at Red Hat

Thank You

We thank Jorge Turrado, Tom Kerkhove, Zbynek Roubalik, and all the KEDA maintainers for their help and collaboration on this engagement. 

Special thanks to Cloud Native Computing Foundation for sponsoring the audit and entrusting OSTIF to get the work done. We are truly grateful for the opportunity to help make critical cloud computing infrastructure more secure and sustainable.