Kubernetes CVE-2018-1002105, with Jordan Liggitt

Adam and Craig end the year by talking to Jordan Liggitt, the member of the Kubernetes Product Security Team who fixed the recent critical security vulnerability in the Kubernetes API server. We also take a look at the news from KubeCon.

This is our last episode for 2018. Thank you for your support this year, and we’ll be back on the 8th of January!

Do you have something cool to share? Some questions? Let us know:

• web: kubernetespodcast.com
• mail: [email protected]
• twitter: @kubernetespod

• etcd donated to the CNCF
  • Chubby paper
  • Raft paper
  • Blog post on the relationship between Kubernetes and etcd by Gyuho Lee and Joe Betz
• Istio:
  • Geekwire: Has Istio become the new cloud-native darling?
  • Google launches Istio on GKE
  • VMware NSX Service Mesh
  • Aspen Mesh open beta
  • In other service mesh news: A10 Secure Service Mesh
• Knative:
  • Knative: bringing serverless to Kubernetes everywhere
  • SAP: Extensibility on cloud-native stack
  • Red Hat to deliver hybrid serverless workloads to the enterprise
  • Pivotal launches Function Service
  • GitLab and TriggerMesh announce GitLab Serverless
• Oracle Cloud Native Framework
• Microsoft:
  • Osiris
  • Azure Monitor for Containers is GA
  • Phippy Goes To The Zoo
  • Phippy, Captain Kube and friends now in the CNCF
• Digital Ocean Kubernetes now open to everyone
• Linode Kubernetes CLI
  • Terraform scripts
• VMware closes its acquisition of Heptio
  • For $550M
  • Dell will go public again
• Quickfire Kubernetes security news
  • NeuVector announced containerd and CRI-O runtime support in their container firewall
  • Aqua’s Container Security Platform is now certified to cover the Kubernetes CIS benchmarks
  • Lacework announced their configuration scanning platform covers Kubernetes
  • Sysdig released Sysdig Secure 2.2, which adds Kubernetes audit events, and the ability to block deployments using Kubernetes admission controllers
  • Twistlock released 18.11, which “introduces security visualization for Kubernetes, and compliance and security configuration checks for Istio, including new alerting integrations with PagerDuty, and cloud services
• Grafana Loki
  • Thanos: Prometheus at scale
• Maestro – A declarative, no-code approach to Kubernetes Day 2 Operators
• rbacsync
• PlanetScale announces funding
  • TechCrunch article

• Jordan’s suggested KubeCon talks to watch:
  • Kelsey Hightower’s keynote, “Kubernetes and the path to serverless”
  • Julia Evans’ keynote, “High Reliability Infrastructure Migrations”
• OpenShift before Kubernetes in 2014
• Kubernetes Product Security Team
• CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections
  • Listing in the National Vulnerability Database
  • Originally filed as a bug against Rancher
    • Rancher blog post
  • How to report a vulnerability
  • Proof of concept (third party)
  • How it was fixed
  • Distributor’s list
  • Client certificate vulnerability in Kubernetes in 2016
• Answering questions on Stack Overflow
• Jordan Liggitt on Twitter, GitHub, Slack or Stack Overflow