TLDR: NCC Group selected to perform K8s security evaluation in response to K8s sig security’s third-party audit request proposal. Security architectural design review and dynamic pen testing were conducted, revealing vulnerabilities in component communication and input sanitization.

Key findings included:

• Concerns with the administrative experience
• Flaws in communication between the API Server and the Kubelet which may result in an elevation of privilege
• Flaws in input sanitization which provide a limited authorization bypass (publicly disclosed under CVE-2022-3162)

The PDF is available for download .