Kubernetes Security Response Committee: Intro & Deep Dive

The presentation discusses the process of reporting and handling security issues in Kubernetes, including the role of the Security Committee and the Bug Bounty program.

• The Security Committee assesses reported issues and works with code owners to determine if they are legitimate security issues.
• CVEs are issued for security issues and the release team is involved if the issue affects core Kubernetes.
• Distributors are notified for medium or high severity issues that may affect their users.
• The Bug Bounty program offers rewards for responsibly reported security issues.
• Reporting security issues through HackerOne or the email list is encouraged.

The presenters discuss a known architectural flaw with service account tokens and how the code owners are aware of it but cannot simply remove it without causing issues for users. They explain that the Security Committee can help find the right person to talk to and that reporting the issue is still encouraged.

The Kubernetes Security Response Committee (SRC) is responsible for the security release process for Kubernetes. In this talk, we will go over what that involves such as the lifecycle of a vulnerability, all the way from the initial report to the public disclosure. The overall responsibilities of SRC will be discussed, with highlights around the differences between SRC, SIG Auth, and SIG Security. Finally, we will also discuss some of the interesting findings from 2022 security audit, and how they impacted the community, as well as the changes that were made to help prevent similar issues in the future. We hope to increase awareness within the community as we have seen multiple instances where folks have not known about the existence of SRC or the process for reporting a vulnerability.