Blog: Current State of 2019 Third Party Kubernetes Audit

[PushkarJ]

Fixes kubernetes/sig-security#56
Preview: https://deploy-preview-36971--kubernetes-io-main-staging.netlify.app/blog/2022/10/05/current-state-2019-third-party-audit/
/cc @raesene @cailynse @reylejano @cji

/sig security docs
/committee security-response

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	e5c91f7
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/632cbeb79bc0240008bbed35
😎 Deploy Preview	https://deploy-preview-36971--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	eef47e5
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/633b67e1aa651b0008223d48
😎 Deploy Preview	https://deploy-preview-36971--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[cailynse]

praise: This looks really good to me! I like how concise it is, and how it makes it easy to identify places for contributing.

idea: There is a small summary in the findings - is it worth including it?

Overall, Kubernetes is a large system with significant operational complexity. The
assessment team found configuration and deployment of Kubernetes to be non-trivial, with
certain components having confusing default settings, missing operational controls, and
implicitly defined security controls. Also, the state of the Kubernetes codebase has
significant room for improvement. The codebase is large and complex, with large sections
of code containing minimal documentation and numerous dependencies, including
systems external to Kubernetes. There are many cases of logic re-implementation within
the codebase which could be centralized into supporting libraries to reduce complexity,
facilitate easier patching, and reduce the burden of documentation across disparate areas
of the codebase.

Despite the results of the assessment and the operational complexity of the underlying
cluster components, Kubernetes streamlines difficult tasks related to maintaining and
operating cluster workloads such as deployments, replication, and storage management.
Additionally, Kubernetes takes steps to help cluster administrators harden and secure their
clusters through features such as Role Based Access Controls (RBAC) and various policies
which extend the RBAC controls. Continued development of these security features, and
further refinement of best practices and sane defaults will lead the Kubernetes project
towards a secure-by-default configuration.

[cji]

Thanks for the ping on this! I'm excited to see this call to action on these. This is really great work from you all updating the status and to see the progress that's been made. When this is published would it be helpful to update the original tracking issue with these statuses as well?

[divya-mohan0209]

Initial set of reviews

[PushkarJ]

@cailynse Thanks for the praise. About the idea, I worry that reiterating the summary from the report, would make people implicitly believe that the summary has not changed over the years and may cause confusion.

[PushkarJ]

@cji thanks for the feedback! I think adding a blog post link at the top of the original issue description, would be good enough, imo :)

[sftim]

For publication date, could I suggest 2022-10-05 (or, if it looks like it won't be ready on time: later)

[PushkarJ]

For publication date, could I suggest 2022-10-05 (or, if it looks like it won't be ready on time: later)

@reylejano would that be okay with timelines for 2021-22 audit publication?

(Want to publish this atleast a week before publication of the new audit)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/blog/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[PushkarJ]

Thanks you all for the feedback while I was away. Incoming - a bunch of changes based on feedback so far!

[PushkarJ]

Update: I have no wifi unfortunately on my plane. So gonna have to push changes later in the afternoon today. I think we should still be on track for Oct 5 publication

[sftim]

/hold
@PushkarJ once you feel this has had the right level of scrutiny, including by the blog team, please unhold

It's OK to merge this even if some nit-level feedback is outstanding (in that case, please consider opening a follow-up PR).

Would be good to get a formal comment from a reviewer representing SIG Security.

[PushkarJ]

All comments should be addressed and resolved now.

Would appreciate lgtm from reviewers who already gave such valuable feedback!

[reylejano]

Thank you @PushkerJ for addressing comments
With my SIG Security third-party audit subproject owner hat on, this looks good to me
/lgtm

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 6f292f3a6f72882b076d7cd91a07896b3890c13b

[cailynse]

This looks really great! Thanks so much for putting this together and incorporating all the thoughtful feedback!

/lgtm

[k8s-ci-robot]

@PushkarJ: you cannot LGTM your own PR.

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[PushkarJ]

/hold cancel

[sftim]

Great stuff.

A few super minor things.

[sftim]

💭 I think kubernetes/kubernetes#109798 (PSP removal) is also relevant here.

(something for a follow-up PR, perhaps?)

[sftim]

nit / for feedback

I'd put:

Suggested change

	| Kubectl can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium |
	| `kubectl` can cause a local Out Of Memory error with a malicious Pod specification | [#81123](https://github.com/kubernetes/kubernetes/issues/81123) | Medium | Medium | Medium |

We avoid capitalizing the names of commands, it verges on misleading the reader.

[reylejano]

Added this suggestion and previous suggestion in followup PR #37156