The Cloud Native Computing Platform is funding a new Kubernetes bug bounty program to reward the researchers who find security vulnerabilities in Kubernetes’ codebase as well as build and release processes.
The program was launched by the Kubernetes Product Security Committee together with bug bounty program vendor HackerOne.
“As a CNCF graduated project, it is imperative that Kubernetes adhere to the highest levels of security best practices,” CNCF wrote in a post.
A CNCF security audit conducted for four months last year gathered a number of Kubernetes-wide findings, including:
- Policies may not be applied, leading to a false sense of security.
- Insecure TLS is in use by default.
- Credentials are exposed in environment variables and command-line arguments.
- Names of secrets are leaked in logs.
- No certificate revocation.
- seccomp is not enabled by default.
To ameliorate these issues, CNCF recommended that Kubernetes developers:
- Avoid hardcoding paths to dependencies
- File permissions checking
- Monitoring processes on Linux
- Moving processes to a cgroup
- Future group considerations for Kubernetes
- Future process handling considerations for Kubernetes
Last year, CNCF also performed and open sourced third-party security audits for its projects to improve the overall security of its ecosystem. Among the first projects tested were CoreDNS, Envoy, and Prometheus, and the audits revealed how to address the identified vulnerabilities.
“The main takeaway from these initial audits is that a public security audit is a great way to test the quality of an open source project along with its vulnerability management process and more importantly, how resilient the open source project’s security practices are,” CNCF wrote. “With CNCF graduated projects especially, which are used widely in production by some of the largest companies in the world, it is imperative that they adhere to the highest levels of security best practices.”
Details of the bug bounty program is available here.