Hello Gardener Community,
most of you might already have heard about the Kubernetes security audit results on GitHub [0], [1] or in the press [2], [3], [4], [5].
Beside an own thread modeling the Gardener Security Team does continuous penetration testing since more than a year. Thus, we are already aware about many issues mentioned in the Kubernetes security audit for quite some time and triggered the Open Source project Karydia [6].
Karydia is an open source security add-on for Kubernetes, that inverts some of the insecure default settings which were mentioned in the Kubernetes security audit (and does even more) like:
* automatically adds a seccomp profile to any newly created pod
* removes the service account token
* adds a non root user to the security section
* avoids that pods run as root by default
* avoids service account token is mounted to all pods
To learn more about the Open Source project Karydia and how you can increase the (default) security of your Gardener managed Kubernetes clusters (as an optional mitigation recommendation wrt Kubernetes security audit) I hereby invite you to the next public Gardener Community Meeting tomorrow [7]. Here you have the chance to discuss with the Karydia maintainers.
Thank You,
Frederik on behalf of the Gardener Security Team
[0]
https://github.com/trailofbits/audit-kubernetes
[1]
https://github.com/kubernetes/community/tree/master/wg-security-audit/findings
[2]
https://www.sdxcentral.com/articles/news/kubernetes-looks-inside-and-finds-security-holes/2019/08/
[3]
https://containerjournal.com/2019/08/07/cncf-completes-kubernetes-cybersecurity-audit/
[4]
https://siliconangle.com/2019/08/06/34-vulnerabilities-uncovered-security-audit-kubernetes-code/
[5]
https://www.heise.de/developer/meldung/Containerisierung-Kubernetes-Security-Audit-veroeffentlicht-4490259.html
[6]
https://github.com/karydia/karydia
[7]
https://docs.google.com/document/d/1314v8ziVNQPjdBrWp-Y4BYrTDlv7dq2cWDFIa9SMaP4
---
You received this message because you are subscribed to the Google Groups "gardener" group
https://groups.google.com/forum/#!forum/gardener
To unsubscribe from this group and stop receiving emails from it, send an email to
gardener+u...@googlegroups.com
To post to this group, send email to
gard...@googlegroups.com
For more options, visit
https://groups.google.com/d/optout