Kubernetes Security
Ada Logics has rich experience in Kubernetes security that can help you protect and secure your cloud assets. We have comprehensive knowledge of Kubernetes’ threat model and how misconfigured clusters or vulnerable code make you vulnerable and how you can mitigate. This has led us to find vulnerabilities in many of widely used software packages amongst Kubernetes users such as Argo, cri-o, containerd, Helm and FluxCD.
Kubernetes security services

We offer services at different levels of Kubernetes infrastructure. Our services start with understanding your use case, who you serve and how you deploy your Kubernetes instance. We can then audit your application layer, your infrastructure and/or your supply-chain risk. An audit will include either static code assets or in-cluster auditing or both - which is the case for most of our audits. Our audits complete with a detailed report written for you in a format you can share internally with your team or publicly with the world.

Wide experience with the Kubernetes ecosystem

Ada Logics has audited a range of popular Kubernetes tools.

We have found several security vulnerabilities in the Argo ecosystem - from Low to Critical severity. We worked with the Argo team to remediate and get them released in a safe manner. Similarly, we have written Argos entire fuzzing infrastructure and maintained it for several years.
The widely customizable and widely used admission controller with a great feature set and detailed documentation. Ada Logics audited Kyverno and found 5 vulnerabilities that we disclosed to Kyverno who fixed them. Ada Logics has written Kyvernos fuzzing suite which tests both for language-level vulnerabilities and policy bypasses, and we have maintained the fuzzing suite for several years.
One of the most widely used container runtimes after containerd/Docker. During an audit of cri-o, we found a vulnerability that could allow an attacker to crash Kubernetes Node and thereby impact the usability of other users on that node. We then looked at containerd and found that it had the same vulnerability. Both cri-o and containerd fixed the vulnerabilities.
The popular service mesh that offers a rich feature set including many that enhance the security of your cluster. Ada Logics has both found vulnerabilities in Istio and in Golang that directly impacted Istio.
Ada Logics have found multiple vulnerabilities in containerd both from auditing efforts and security engineering. During out audit of cri-o we found a vulnerability that existed in both cri-o and containerd. During a fuzzing engagement, we found another vulnerability in containerd.
We carried out a holistic security audit of FluxCD in which we found a high-severity command-injection.
Our Kubernetes security services
Threat modelling

We can threat model your infrastructure to identify its attack surface, threat actors, trust zones and trust flow and security controls.

Attacking your infrastructure

Ada Logics can take an attackers perspective and attempt to steal your data, damage your application, infiltrate your infrastructure and compromise your users in a controlled environment.

Manual auditing

We can manually audit your Kubernetes infrastructure for risks, misconfigurations, risks and vulnerabilities.

Automated testing

We use state-of-the-art open source dynamic and static analysis to support our audits.

One-time infrastructure audits

We can help with auditing your infrastructure as a one-time engagement.

Regular infrastructure audits

We are available for regular infrastructure audits such as yearly or half-yearly engagements. Code changes over time, and vulnerabilities can get introduced. Catch them with yearly checkups. Alternatively, a yearly infrastructure audit helps your eradicate easily-exploitable issues and find deeper security issues over time.

Security engineering and hardening

We can work with you on hardening the security of your infrastructure. This can be through implementing or improving your admission controls or service mesh, or by hardening your infrastructure configurations.

Talk to us now about your Kubernetes security audit
Contact Us