Gardener security announcement - mitigation recommendation wrt Kubernetes security audit
26 views
Skip to first unread message
Thormaehlen, Frederik
Aug 8, 2019, 8:38:28 AM8/8/19
to gard...@googlegroups.com
Hello Gardener Community,
most of you might already have heard about the Kubernetes security audit results on GitHub [0], [1] or in the press [2], [3], [4], [5].
Beside an own thread modeling the Gardener Security Team does continuous penetration testing since more than a year. Thus, we are already aware about many issues mentioned in the Kubernetes security audit for quite some time and triggered the Open Source project Karydia [6].
Karydia is an open source security add-on for Kubernetes, that inverts some of the insecure default settings which were mentioned in the Kubernetes security audit (and does even more) like:
* automatically adds a seccomp profile to any newly created pod
* removes the service account token
* adds a non root user to the security section
* avoids that pods run as root by default
* avoids service account token is mounted to all pods
To learn more about the Open Source project Karydia and how you can increase the (default) security of your Gardener managed Kubernetes clusters (as an optional mitigation recommendation wrt Kubernetes security audit) I hereby invite you to the next public Gardener Community Meeting tomorrow [7]. Here you have the chance to discuss with the Karydia maintainers.
Thank You,
Frederik on behalf of the Gardener Security Team
[0] https://github.com/trailofbits/audit-kubernetes
[1] https://github.com/kubernetes/community/tree/master/wg-security-audit/findings
[2] https://www.sdxcentral.com/articles/news/kubernetes-looks-inside-and-finds-security-holes/2019/08/
[3] https://containerjournal.com/2019/08/07/cncf-completes-kubernetes-cybersecurity-audit/
[4] https://siliconangle.com/2019/08/06/34-vulnerabilities-uncovered-security-audit-kubernetes-code/
[5] https://www.heise.de/developer/meldung/Containerisierung-Kubernetes-Security-Audit-veroeffentlicht-4490259.html
[6] https://github.com/karydia/karydia
[7] https://docs.google.com/document/d/1314v8ziVNQPjdBrWp-Y4BYrTDlv7dq2cWDFIa9SMaP4
---
You received this message because you are subscribed to the Google Groups "gardener" group https://groups.google.com/forum/#!forum/gardener
To unsubscribe from this group and stop receiving emails from it, send an email to gardener+u...@googlegroups.com
To post to this group, send email to gard...@googlegroups.com
For more options, visit https://groups.google.com/d/optout
most of you might already have heard about the Kubernetes security audit results on GitHub [0], [1] or in the press [2], [3], [4], [5].
Beside an own thread modeling the Gardener Security Team does continuous penetration testing since more than a year. Thus, we are already aware about many issues mentioned in the Kubernetes security audit for quite some time and triggered the Open Source project Karydia [6].
Karydia is an open source security add-on for Kubernetes, that inverts some of the insecure default settings which were mentioned in the Kubernetes security audit (and does even more) like:
* automatically adds a seccomp profile to any newly created pod
* removes the service account token
* adds a non root user to the security section
* avoids that pods run as root by default
* avoids service account token is mounted to all pods
To learn more about the Open Source project Karydia and how you can increase the (default) security of your Gardener managed Kubernetes clusters (as an optional mitigation recommendation wrt Kubernetes security audit) I hereby invite you to the next public Gardener Community Meeting tomorrow [7]. Here you have the chance to discuss with the Karydia maintainers.
Thank You,
Frederik on behalf of the Gardener Security Team
[0] https://github.com/trailofbits/audit-kubernetes
[1] https://github.com/kubernetes/community/tree/master/wg-security-audit/findings
[2] https://www.sdxcentral.com/articles/news/kubernetes-looks-inside-and-finds-security-holes/2019/08/
[3] https://containerjournal.com/2019/08/07/cncf-completes-kubernetes-cybersecurity-audit/
[4] https://siliconangle.com/2019/08/06/34-vulnerabilities-uncovered-security-audit-kubernetes-code/
[5] https://www.heise.de/developer/meldung/Containerisierung-Kubernetes-Security-Audit-veroeffentlicht-4490259.html
[6] https://github.com/karydia/karydia
[7] https://docs.google.com/document/d/1314v8ziVNQPjdBrWp-Y4BYrTDlv7dq2cWDFIa9SMaP4
---
You received this message because you are subscribed to the Google Groups "gardener" group https://groups.google.com/forum/#!forum/gardener
To unsubscribe from this group and stop receiving emails from it, send an email to gardener+u...@googlegroups.com
To post to this group, send email to gard...@googlegroups.com
For more options, visit https://groups.google.com/d/optout
Reply all
Reply to author
Forward
0 new messages