CNCF’s Security Audit Group Exposes 34 Vulnerabilities in Kubernetes

  • Two of the nastiest bugs have been fixed in new releases of Kubernetes
  • The CNCF’s Third Party Security Audit Working Group performed the audit in collaboration with Trail of Bits and Atredis Partners
  • Last year, the Foundation identified security issues in CoreDNS, Envoy and Prometheus.


Cloud Native Computing Foundation (CNCF) has released the Kubernetes security audit report on Github.

Hosted by the CNCF, Kubernetes is an open source container orchestration engine for automating deployment, scaling and management of containerized applications.

Specifically, the audit team found 34 significant Kubernetes vulnerabilities: Four were of high severity; 15 medium severity; eight low severity and seven informational severity.

Two of the nastiest bugs have already been fixed in new releases of Kubernetes 1.13.9, 1.14.5, and 1.15.2: CVE-2019-11247, and CVE-2019-11249.

The CNCF’s Third Party Security Audit Working Group in collaboration with Trail of Bits and Atredis Partners completed the audit in four months.

Eight Kubernetes’ components evaluated

Since Kubernetes is a huge project, with functionality running from API gateways to container orchestration to networking and beyond, the audit team selected eight of Kubernetes’ most commonly used components for evaluation:

  • Kube-apiserver
  • Etcd
  • Kube-scheduler
  • Kube-controller-manager
  • Cloud-controller-manager
  • Kubelet
  • Kube-proxy
  • Container Runtime

They found that, while Kubernetes is already widely deployed, it needs a lot of security work. Trail of Bits stated in its report:

“The assessment team found configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls.”

As for the code, it said, “the state of the Kubernetes codebase has significant room for improvement.”

Recommendations for Kubernetes developers included:

  • Avoid hardcoding paths to dependencies
  • File permissions checking
  • Monitoring processes on Linux
  • Moving processes to a cgroup
  • Future cgroup considerations for Kubernetes
  • Future process handling considerations for Kubernetes

First projects to undergo CNCF security audit

A part of the non-profit Linux Foundation, CNCF serves as the vendor-neutral home for many of the fastest-growing open source projects, including Kubernetes, Prometheus and Envoy.

Last year, the Foundation began the process of performing and open sourcing third-party security audits for its projects in order to improve the overall security of its ecosystem.

The first projects to undergo this process were CoreDNS, Envoy and Prometheus.

The first public audits identified security issues from general weaknesses to critical vulnerabilities. With these results, project maintainers for CoreDNS, Envoy and Prometheus were able to address the identified vulnerabilities and add documentation to help users.


With inputs from ZDNet


Please enter your comment!
Please enter your name here