Scanning and private triage of dangling DNS records

[tabbysable]

A common type of issue reported to the Security Response Committe under the Kubernetes bug bounty program is netlify takeovers. These occur when a Kubernetes DNS record points to a Netlify account that does not exist, and allow anyone to publish web content under a Kubernetes-project hostname.

We could help the project and the user community to be safer by doing proactive scanning for these sorts of issues.

I have discussed this idea with other SRC members, and we would like to ask the SIG Security Tooling community to help make it happen.

[tabbysable]

One possible way to implement such a thing would be a scheduled Prow job that looped over the DNS configuration in https://github.com/kubernetes/k8s.io/, validated the existence of any referenced Netlify resources, and sent private email notifications to security@kubernetes.io if any dangling records were found.

[tabbysable]

/label help-wanted
/sig security

[k8s-ci-robot]

@tabbysable: The label(s) /label help-wanted cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, ci-short, ci-extended, ci-full. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label help-wanted
/sig security

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tabbysable]

/help
/triage accepted

[k8s-ci-robot]

@tabbysable:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.