By Chris Aniszczyk (@cra) and Rey Lejano
In 2018, the Cloud Native Computing Foundation (CNCF) started performing and open sourcing third-party security audits with the goal of improving the overall security practices of our ecosystem. Since then, Argo, Backstage, CoreDNS, CRI-O, Envoy, etcd, Flux, KubeEdge, Linkerd, Prometheus, SPIFFE/SPIRE and other CNCF projects have gone through security audits.
Today, CNCF is sharing the results of the Kubernetes third-party audit based on the 1.24 release, sponsored by CNCF and conducted over the summer of 2022 by NCC Group with the help of the Kubernetes SIG Security Third Party Audit Working Group. The goal of this security review was to identify any issues in the project architecture and code base which could adversely affect the security of Kubernetes users.
“It is critical that open source projects adhere to the highest level of security practices given the emphasis on supply chain security issues these days. Public security audits like this one is an ideal way to test a project’s vulnerability management process and more importantly, how resilient the open source project’s security practices are. Thanks to the members of the Kubernetes Security Audit Working Group and the NCC Group for helping identify vulnerabilities in Kubernetes and providing recommendations to consistently improve its security posture.” – Chris Aniszczyk, CTO, CNCF
“Kubernetes SIG Security External Audit subproject is responsible for coordinating third-party security audits for Kubernetes. The subproject abides by the Security Release Process and embargo policy. The audit findings are reviewed by the Kubernetes Security Response Committee before public disclosure.” – Rey Lejano, SIG Security External Audit subproject lead
“NCC Group is honored to have been chosen to conduct a security audit of the Kubernetes project 1.24.0 release during May and June of 2022. Our global project team discovered vulnerabilities in Kubernetes components and provided recommendations for enhancing the security of the architectural design of Kubernetes. Our mission at NCC Group is to create a secure digital future and we are very pleased to have been a part of an audit which results in improving the security posture of Kubernetes for the open-source community.” – Iain Smart, Principal Security Consultant, Containerization and Orchestration Practice Lead, NCC Group
Scope
This security audit is meant to paint a broad picture of the security posture of Kubernetes and its source code base, and focuses specifically on the following components of Kubernetes:
- kube-apiserver
- kube-scheduler
- Kubernetes use of etcd
- kube-controller-manager
- cloud-controller-manager
- kubelet
- kube-proxy
- Secrets-store-csi-drive
- Coverage on all aspects that have changed since the previous audit of Kubernetes 1.13
While Kubernetes relies upon Container Runtimes such as Docker and CRI-O, container escapes that rely upon bugs in the container runtime are not in scope unless, for example, the escape is made possible by a defect in the way that Kubernetes sets up the container.
Key Findings
During the assessment, NCC Group identified:
- A number of concerns with the administrative experience as it relates to restricting user or network permissions. These may result in administrator confusion or a lack of clarity around the permissions available to a specific component.
- Flaws in inter-component authentication which allow a suitably positioned malicious user to escalate permissions to cluster-admin.
- Weaknesses in logging and auditing which could be abused by an attacker post-compromise to aid in maintaining persistence or stealth once in control of a cluster.
- Flaws in user input sanitisation which allow a restricted form of authentication bypass by modifying the request made to the etcd datastore.
While numerous other findings were also identified, these were determined to pose limited risk to users. This is due to either their impact being low, or privileged permissions being required in order to abuse the vulnerable functionality.
Strategic recommendations
- The Kubernetes project has demonstrated efforts to improve the security of the overall project
- Where a relatively simple fix is possible, for example in the identified instances of unsanitized user inputs, these issues should be fixed in code as soon as possible.
- Where more complicated fixes are required, it may be more pertinent to update Kubernetes documentation to inform users of the identified risks while longer-term fixes are applied.
- A number of findings from the previous audit performed against Kubernetes version 1.13 remain open or unfixed.
For background on CNCF project security audits and an overview of the Kubernetes 1.13 audit in late 2019, check out Chris Aniszczyk’s post. Check out the Kubernetes post that reviews the current state of the 2019 audit findings.
The third-party security audit based on Kubernetes 1.24 is available in the Kubernetes GitHub repository.