<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=986590804759414&amp;ev=PageView&amp;noscript=1">
G Suite Admins Blog >

Your Guide to the First-Ever Kubernetes Security Audit


Google has always been a company committed to consistently improving and developing its service and product offerings. Recently, the Google Cloud Platform portfolio achieved yet another major milestone when the Google team published Kubernetes first security audit. The audit was sponsored by the Cloud Native Computing Foundation, or CNCF, and it reinforces the idea that Kubernetes is a mature, and reliable open-source project for organizations to use as the foundation of the infrastructure. 

Although most audits will uncover some problems, the report from Google only found a small number of vulnerabilities that needed to be addressed. According to the Product Manager for Google Cloud, Aaron Small, there were no fundamental architectural design flaws to overcome, and no significant or critical vulnerabilities that Anthos and GKE users need to worry about. Kubernetes also has an established response and disclosure process in place for any vulnerabilities that may be reported. 

Performing the security audit took a lot of work on the behalf of the CNCF, which is committed to improving the security of all projects that it works on. The Kubernetes Steering Committee needed to form a working group, work with vendors, and develop an RFP before they could publish the full report, which is available here

What We Learned from the Kubernetes Audit


Before you go rushing to read through the entire Kubernetes audit yourself, it's worth noting that it's more than 240 pages long - so it's quite a serious read. However, what you need to know about this document is that it highlights the success and security of Kubernetes for Anthos and Google Kubernetes Engine users. Ultimately, the report highlights a lot of useful information, but some of the major points include:

  • You're not the only person who has to worry about security: The GKE shared responsibility model means that you don't have to worry about all of the security systems that need to be in place with a Kubernetes project. GKE remains responsible for providing updates and patching vulnerabilities for the eight core components listed in the latest report. However, you as a user are responsible for upgrading configuration and nodes related to workloads. 

  • Following recommended configurations is easy: The report on Kubernetes security lays out a long list of recommended actions that cluster administrators can take to improve their safety standards. You can do things like applying network policies, using RBAC, and limiting the access that users have to certain logs featuring sensitive information. However, Kubernetes' default settings also make it easy to access all of these recommended configurations without worrying about the extra work. You can learn how to apply recommended configurations on the Kubernetes hardening guide for GKE here

  • The only way is up: It seems like Kubernetes and the GKE users of tomorrow have very little to worry about if the latest report is anything to go by. Google will continue to invest in making Kubernetes and Anthos as safe and secure as possible, while teams work on protecting their side of the development. The only way is up for solutions built through Google. 

You Can Rely on Google Kubernetes


Even if issues do arise with Kubernetes, as has happened in the past with countless pieces of technology, the Product Security committee for Kubernetes always seems ready to tackle the problem. What's more, since GKE is an official distribution, the Google team can pick up patches before they become available on Kubernetes and make them available automatically for the master, node, and control plane. This means that if you have the auto-upgrade feature enabled, your node patches will apply automatically. What's more, master upgrades happen automatically for all users. This makes it incredibly easy for people in the Kubernetes environment to keep on top of the latest ways to upgrade their security with GKE and Anthos. 

The report on Google Kubernetes first-ever security audit seems very positive for the most part. Of course, you have the freedom to check it out for yourself and make your own conclusions. The full report is available on Github, and you can rest assured that we'll report any updates to Kubernetes security status to you as soon as they become available.