The Kubernetes container-orchestration system was originally built by Google for automating application deployment, scaling and management in the cloud. The culmination of 15 years of development experience, Google open-sourced the Kubernetes project in 2014. It is now maintained by the CNCF, whose community of volunteers will manage vulnerability processing and resolutions related to the bug-bounty program.
Bounties will range from $100 to $10,000. The program’s scope covers code from the main Kubernetes organizations on GitHub (Kubernetes has more than 100 certified distributions), as well as “continuous integration, release and documentation artifacts,” according to a Kubernetes security team post on Tuesday.
“Basically, most content you’d think of as ‘core’ Kubernetes…is in scope,” according to the post.
The program’s debut marks the release of one of the first bounty programs for underlying cloud infrastructure. “Some open-source bug bounty programs exist, such as the Internet Bug Bounty, this mostly covers core components that are consistently deployed across environments; but most bug bounties are still for hosted web apps,” according to the Kubernetes post.
In Scope, Out of Scope
The Kubernetes security team said it is particularly interested in cluster attacks, such as privilege escalations, authentication bugs and remote code execution in the kubelet or API server.
“Any information leak about a workload, or unexpected permission changes is also of interest,” they wrote. “Stepping back from the cluster admin’s view of the world, you’re also encouraged to look at the Kubernetes supply chain, including the build-and-release processes, which would allow any unauthorized access to commits, or the ability to publish unauthorized artifacts.”
The project’s community management tools, such as the Kubernetes mailing lists or Slack channel, are out-of-scope, as are container escapes, attacks on the Linux kernel or other issues arising from dependencies – these should be reported to the appropriate party instead.
Google also plans to be intimately involved in the program, which has been running in beta mode with invite-only researchers up until now.
“Kubernetes already has a robust security team and response process, further cemented by the recent Kubernetes security audit,” according to a statement by Maya Kaczorowski, product manager for container security at Google Cloud, which first proposed the bug-bounty program.
“We have a stronger and more secure open-source project than we’ve ever had before. By launching a bug-bounty program, we’re putting our money where our mouth is – and most importantly, rewarding the researchers already doing this important work. We hope to attract additional security researchers to get more eyes on the code, shakeout security bugs, and back up our work on Kubernetes security with financial support,” Kaczorowski said.
Securing the Cloud
Cloud security is coming more and more in to focus as companies look to achieve high-velocity operations and take advantage of the efficiencies that digital transformation can bring.
“The cloud allows companies to move quickly and be more agile so they can provide benefits to customers more quickly,” Reed Loden, director of security at HackerOne, told Threatpost. “With the standardization cloud technology delivers to companies across the globe comes similar problems across websites hosted on the same cloud provider. This both makes it easier for attackers to exploit multiple websites and simplifies the process for defenders to learn and improve at a faster clip as they unearth common issues.”
However, with uniformity comes documentation, “allowing friendly hackers and companies to learn from each other to avoid the common mistakes,” he added. “When companies and researchers work together they can better improve defenses and build a safer internet.”
Kubernetes has had its share of vulnerabilities. Last October for instance a pair of bugs, CVE-2019-16276 and CVE-2019-11253, were found that could allow an attacker to trivially bypass authentication controls to access a container. And earlier, a critical privilege-escalation vulnerability (CVE-2018-1002105) was uncovered that could allow an attacker unfettered, remote access for stealing data or crashing production applications.
“Moving servers from on-premise to the cloud comes with substantial benefits and risks — good and bad,” Loden told Threatpost. “You can build software right using cloud or you can build it wrong using cloud, just like anything else.”