What is Kubernetes?

Kubernetes, the container orchestration program, has become hotter than hot. Everyone – and I mean everyone – takes over. But with quarterly major updates and anyone rushing to implement it, security is a real concern. That is why the Kubernetes Product Security Committee, financed by the Cloud Native Computing Foundation (CNCF), is launching a new bug bounty program to reward Kubernetes security bugs.

The bug bounty program has had a private beta version for several months now. Almost two years since the original proposal, the program is now ready for all security investigators.

Maya Kaczorowski, product manager of Google Cloud for container security, said:

Kubernetes already has a robust security team and response process, further enhanced by the recent Kubernetes security audit. We have a stronger and safer open source project than ever before. By launching a bug bounty program, we bring our money to our mouths – and above all we reward the researchers who are already doing this important work. We hope to attract additional security researchers to gain more insight into the code, remove security errors and support our work in the area of ​​Kubernetes security with financial support.

This bug bounty program is managed by HackerOne, a self-proclaimed security company with hackers. To successfully execute the program, the HackerOne team are all certified Kubernetes administrators (CKA). This is not an easy job. There are more than 100 certified distributions of Kubernetes and the bug bounty already covers their Kubernetes code.

In particular, the bug bounty relates to the most important Kubernetes code stored on GitHub. It also monitors continuous integration, release and documentation artifacts. They are particularly looking for security breaches that can lead to cluster attacks. This includes privilege escalations, authentication bugs and external code execution in the cube or API server.

They are also looking for workload information leaks or unexpected changes in permissions. Security investigators are also encouraged to look at the supply chain of Kubernetes, including the build and release processes.

What it does not cover is community management tooling, such as the Kubernetes mailing lists or Slack channel. Container escapes, attacks on the Linux kernel or other dependencies, such as etcd, are also out of reach and must be reported to their security teams. That said, they still want to hear about the vulnerability of Kubernetes, even if they don’t qualify for the bug bounty. These must be disclosed privately to the Kubernetes Product Security Committee.

Vulnerabilities in core Kubernetes programs range from $ 200 for low priority issues to $ 10,000 for uncovered critical issues. For full details on how the bounty program works, see HackerOne’s Kubernetes bounty page.

