Security News

Because these teams are working on different products, they should be given different access to the Kubernetes cluster. First, we create a Role object named `role-blue`, where we define the actions that can be performed on specific Kubernetes resources.

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found. The Shadowserver Foundation discovered the access when it scanned the internet for Kubernetes API servers, of which there are more than 450,000, according to a blog post published this week.

Traditional methods of software security are not a good fit for Kubernetes: a renewed set of security implementations are required to make it less vulnerable. With Kubernetes in place, security teams are left with limited visibility into the impact each change has.

A survey by ionir shows that 60% of respondents are running stateful applications on Kubernetes, and of those who aren't already, 50% plan to do so in the next 12 months. The primary benefit of running stateful applications on Kubernetes, according to respondents, is that they are critical to business success and their journey toward digital transformation.

Kubernetes showing vulnerabilities against ransomware attacks. New research from Veritas Technologies detailing the inherent security risks associated with Kubernetes has been published, and some of the findings are concerning for those employing the containerized system.

Kubernetes is being rapidly deployed into mission-critical environments in organizations around the world, the research showed, with 86% of organizations expecting to deploy the technology in the next two to three years, and one-third already relying on it today. The research, which gathered the opinions of 1,100 senior IT decision makers globally, found that 48% of organizations that have deployed Kubernetes have already experienced a ransomware attack on their containerized environments, while a staggering 89% of respondents said that ransomware attacks on Kubernetes environments are an issue for their organizations today.

A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host. A lightweight alternative to Docker, CRI-O is a container runtime implementation of the Kubernetes Container Runtime Interface that's used to pull container images from registries and launch an Open Container Initiative-compatible runtime such as runC to spawn and run container processes.

Google says it bumped up rewards for reports of Linux Kernel, Kubernetes, Google Kubernetes Engine, or kCTF vulnerabilities by adding bigger bonuses for zero-day bugs and exploits using unique exploitation techniques. "We increased our rewards because we recognized that in order to attract the attention of the community we needed to match our rewards to their expectations," Google Vulnerability Matchmaker Eduardo Vela explained.

Users of the Argo continuous deployment tool for Kubernetes are being urged to push through updates after a zero-day vulnerability was found that could allow an attacker to extract sensitive information such as passwords and API keys. The path-traversal vulnerability "Allows malicious actors to load a Kubernetes Helm Chart YAML file to the vulnerability and 'hop' from their application ecosystem to other applications' data outside of the user's scope," Moshe Zioni, Apiiro's VP of security research, said.

A high-severity security vulnerability in Argo CD can enable attackers to access targets' application-development environments, paving the way for stealing passwords, API keys, tokens and other sensitive information. Argo CD is a continuous-delivery platform deployed as a Kubernetes controller in the cloud, and it's used to deploy applications, then continuously monitor them in real time as they run.