The open-source Kubernetes container orchestration is an increasingly deployed platform that is now supported across all three major public cloud providers (Google, AWS and Azure) as well as enterprise private clouds.
Container security is a big issue these days, and keeping Kubernetes secure involves multiple aspects. One of those aspects is the security of the Kubernetes code itself, which has had its share of vulnerabilities that have been reported in the past year. Among those vulnerabilities is CVE-2017-1002101, which was patched in the Kubernetes 1.10 release that became generally available on March 26.
So how are security vulnerabilities in Kubernetes code handled? It starts with a community team of eight volunteers.
In a video interview, Brandon Philips, former CTO of CoreOS, now at Red Hat, and a member of the volunteer team that handles Kubernetes security reports, details how security reports are handled and how the CVE-2017-1002101 issue was managed.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"The security team for Kubernetes just keeps getting busier and busier," Philips said.
The CVE-2017-1002101 issue was particularly complicated for Kubernetes to solve since there are multiple moving components that make up Kubernetes, including the Docker Engine and API guarantees.
Philips said the Kubernetes security response team has been trying to figure out how to improve processes. To that end, the Cloud Native Computing Foundation (CNCF), which operates the Kubernetes project, recently approved an effort to engage with third-party consultants who help deal with initial responses to inbound security reports.
Philips said there are currently eight volunteers on the Kubernetes security response team and they act as project managers triaging issues as they come in, and engaging with the right engineers involved with Kubernetes to get the right fixes done quickly.
Watch the full video interview with Brandon Philips below:
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.