Current State: 2019 Third Party Security Audit of Kubernetes

Authors (in alphabetical order): Cailyn Edwards (Shopify), Pushkar Joglekar (VMware), Rey Lejano (SUSE) and Rory McCune (DataDog)

We expect the brand new Third Party Security Audit of Kubernetes will be published later this month (Oct 2022).

In preparation for that, let's look at the state of findings that were made public as part of the last third party security audit of 2019 that was based on Kubernetes v1.13.4.

Motivation

Craig Ingram has graciously attempted over the years to keep track of the status of the findings reported in the last audit in this issue: kubernetes/kubernetes#81146. This blog post will attempt to dive deeper into this, address any gaps in tracking and become a point in time summary of the state of the findings reported from 2019.

This article should also help readers gain confidence through transparent communication, of work done by the community to address these findings and bubble up any findings that need help from community contributors.

Current State

The status of each issue / finding here is represented in a best effort manner. Authors do not claim to be 100% accurate on the status and welcome any corrections or feedback if the current state is not reflected accurately by commenting directly on the relevant issue.

#TitleIssueStatus
1hostPath PersistentVolumes enable PodSecurityPolicy bypass#81110closed, addressed by kubernetes/website#15756 and kubernetes/kubernetes#109798
2Kubernetes does not facilitate certificate revocation#81111duplicate of #18982 and needs a KEP
3HTTPS connections are not authenticated#81112Largely left as an end user exercise in setting up the right configuration
4TOCTOU when moving PID to manager's cgroup via kubelet#81113Requires Node access for successful exploitation. Fix needed
5Improperly patched directory traversal in kubectl cp#76788closed, assigned CVE-2019-11249, fixed in #80436
6Bearer tokens are revealed in logs#81114closed, assigned CVE-2019-11250, fixed in #81330
7Seccomp is disabled by default#81115closed, addressed by #101943
8Pervasive world-accessible file permissions#81116#112384 ( in progress)
9Environment variables expose sensitive data#81117closed, addressed by #84992 and #84677
10Use of InsecureIgnoreHostKey in SSH connections#81118This feature was removed in v1.22: #102297
11Use of InsecureSkipVerify and other TLS weaknesses#81119Needs a KEP
12kubeadm performs potentially-dangerous reset operations#81120closed, fixed by #81495, #81494, and kubernetes/website#15881
13Overflows when using strconv.Atoi and downcasting the result#81121closed, fixed by #89120
14kubelet can cause an Out of Memory error with a malicious manifest#81122closed, fixed by #76518
15kubectl can cause an Out Of Memory error with a malicious Pod specification#81123Fix needed
16Improper fetching of PIDs allows incorrect cgroup movement#81124Fix needed
17Directory traversal of host logs running kube-apiserver and kubelet#81125closed, fixed by #87273
18Non-constant time password comparison#81126closed, fixed by #81152
19Encryption recommendations not in accordance with best practices#81127Work in Progress
20Adding credentials to containers by default is unsafe#81128Closed, fixed by #89193
21kubelet liveness probes can be used to enumerate host network#81129Needs a KEP
22iSCSI volume storage cleartext secrets in logs#81130closed, fixed by #81215
23Hard coded credential paths#81131closed, awaiting more evidence
24Log rotation is not atomic#81132Fix needed
25Arbitrary file paths without bounding#81133Fix needed.
26Unsafe JSON construction#81134Partially fixed
27kubelet crash due to improperly handled errors#81135Closed. Fixed by #81135
28Legacy tokens do not expire#81136closed, fixed as part of #70679
29CoreDNS leaks internal cluster information across namespaces#81137Closed, resolved with CoreDNS v1.6.2. #81137 (comment)
30Services use questionable default functions#81138Fix needed
31Incorrect docker daemon process name in container manager#81139closed, fixed by #81083
32Use standard formats everywhere#81140Needs a KEP
33Superficial health check provides false sense of safety#81141closed, fixed by #81319
34Hardcoded use of insecure gRPC transport#81142Needs a KEP
35Incorrect handling of Retry-After#81143closed, fixed by #91048
36Incorrect isKernelPid check#81144closed, fixed by #81086
37Kubelet supports insecure TLS ciphersuites#81145closed but fix needed for #91444 (see this comment)

Inspired outcomes

Apart from fixes to the specific issues, the 2019 third party security audit also motivated security focussed enhancements in the next few releases of Kubernetes. One such example is Kubernetes Enhancement Proposal (KEP) 1933 Defend Against Logging Secrets via Static Analysis to prevent exposing secrets to logs with Patrick Rhomberg driving the implementation. As a result of this KEP, go-flow-levee, a taint propagation analysis tool configured to detect logging of secrets, is executed in a script as a Prow presubmit job. This KEP was introduced in v1.20.0 as an alpha feature, then graduated to beta in v1.21.0, and graduated to stable in v1.23.0. As stable, the analysis runs as a blocking presubmit test. This KEP also helped resolve the following issues from the 2019 third party security audit:

Remaining Work

Many of the 37 findings identified were fixed by work from our community members over the last 3 years. However, we still have some work left to do. Here's a breakdown of remaining work with rough estimates on time commitment, complexity and benefits to the ecosystem on fixing these pending issues.

TitleIssueTime CommitmentComplexityBenefit to Ecosystem
Kubernetes does not facilitate certificate revocation#81111HighHighMedium
Use of InsecureSkipVerify and other TLS weaknesses#81119HighHighMedium
kubectl can cause a local Out Of Memory error with a malicious Pod specification#81123MediumMediumMedium
Improper fetching of PIDs allows incorrect cgroup movement#81124MediumMediumMedium
kubelet liveness probes can be used to enumerate host network#81129HighHighMedium
API Server supports insecure TLS ciphersuites#81145MediumMediumLow
TOCTOU when moving PID to manager's cgroup via kubelet#81113MediumMediumLow
Log rotation is not atomic#81132MediumMediumLow
Arbitrary file paths without bounding#81133MediumMediumLow
Services use questionable default functions#81138MediumMediumLow
Use standard formats everywhere#81140HighHighVery Low
Hardcoded use of insecure gRPC transport#81142HighHighVery Low

To get started on fixing any of these findings that need help, please consider getting involved in Kubernetes SIG Security by joining our bi-weekly meetings or hanging out with us on our Slack Channel.