The Hitchhiker's Guide to Kubernetes Vulnerabilities

Explore the comprehensive history of Kubernetes vulnerabilities in this 29-minute conference talk by Robert Clark and Micah Hausler from Amazon. Dive into an in-depth analysis of security issues throughout the Kubernetes project's lifetime, examining patterns, trends, and a taxonomy for classifying vulnerabilities. Learn about root causes, contributing factors, and metrics such as time from commit-to-discovery and time-to-resolution. Gain insights into the impact of community efforts, including SIGs, WGs, and audits, on improving Kubernetes security. Discover how to predict future security performance based on historical data and understand the potential evolution of Kubernetes' security posture. This presentation, part of KubeCon + CloudNativeCon Europe 2022, offers valuable information for developers and end-users of Kubernetes and other CNCF-hosted projects.

Intro
Introductions
Why this talk
What is a vulnerability
Security Response Committee
Lifetime of a kes vuln
Security Supported Versions
A brief history of K8s Security
Where to get vulnerability data
Vulnerability Distribution
Issue Lifetime
Bug Bounty Finds
Common Weaknesses
CWE - Kubernetes All Time
CWE - 2020-2021
CVSSv3 means rescoring!
Key Takeaways