TLDR: NCC Group selected to perform K8s security evaluation in response to K8s sig security’s third-party audit request proposal. Security architectural design review and dynamic pen testing were conducted, revealing vulnerabilities in component communication and input sanitization.
Key findings included:
- Concerns with the administrative experience
- Flaws in communication between the API Server and the Kubelet which may result in an elevation of privilege
- Flaws in input sanitization which provide a limited authorization bypass (publicly disclosed under CVE-2022-3162)
