PointStar SingaporePointStar Singapore
  • Solutions
        • WORKPLACE COLLABORATION


        • Email and CollaborationIntegrated enterprise solutions for business emails, collaborations and productivity tools.
        • Meeting Room and ConferencingModern conferencing and communication solutions for future workplaces.
        • End User ComputingSecured and easy-to-manage solutions for end users to access applications and data – any device, anytime, anywhere.
        • SD-WAN, Network, Wi-FiSmart and secured cloud managed network solutions from small businesses to large enterprises.
        • CLOUD COMPUTING


        • Public And Hybrid CloudMulti-Cloud Solutions for all types of workloads securely and flexibly on pay-as-you-use model.
        • Data Cloud and AnalyticsData solutions that allows unification of data securely across organizations and platforms with intelligent insights.
        • Platform as a ServiceCloud platform solutions that provide a series of modular cloud services for application and web services.
        • API ManagementFull lifecycle API management platform as gateway for runtime management, policy governance, and usage analytics.
        • BUSINESS APPLICATIONS


        • ERP SolutionsEnterprise Resources Planning solutions to automate business process for better financial insights and internal controls.
        • CRM Solutions360 solutions to unify sales, marketing and customer service interactions for better customer engagement.
        • Digital Signature SolutionsLegally binding electronic signature solutions for documents signings and workflow approvals.
        • Document Management SystemsHardcopies digitization and documents approval solutions for enhanced business process automations.
        • EMERGING TECHNOLOGIES


        • AI ChatbotLifelike conversational AI with state-of-the-art virtual agent systems for businesses and customer service environments.
        • Machine LearningArtificial Intelligence (AI) solutions that enable data learning for predictive analysis and automated decision making.
        • IoTProtect your business from disruptions with secure and highly available cloud infrastructure.
        • >> MORE
  • Services
        • CLOUD TRANSFORMATION


        • Infrastructure ModernizationProvide flexible cloud infrastructure services from re-host to re-platform.
        • Application ModernizationProvide cloud native application development platforms and services for simplify and speedy software delivery.
        • Data AnalyticsOffer multi-cloud and cross-platform cloud analytics for data analysis and reportings.
        • Cloud MigrationMigration of workload and application from on-premises systems to cloud platform.
        • BUSINESS SERVICES


        • ConsultingImprove your operational performance and productivity, and adding value throughout the lifecycle.
        • Business Application IntegrationsRapidly builds end-to-end smart workflows to help automate digital processes.
        • Backup & Disaster RecoveryProvide centralized protection for environments and applications running on-premises and on-cloud.
        • Business Process AutomationProfessional services to assist businesses in streamlining and automating business process and re-shaping their work.
        • TECHNICAL SERVICES


        • Technical SupportCertified engineers in providing IT support services with commitment to Service Level Agreements.
        • Managed ServicesProvide expertise to manage businesses’ IT requirements for operational efficiency and faster resolutions.
        • Workplace ModernizationDesign, install and implement modern AV and communication solutions for all workplace environment types.
        • Installation ServicesProfessional services in IT installations and implementations.
        • PROFESSIONAL SERVICES


        • Training ServicesProfessional training services from our certified trainers, engineers and consultants.
        • Project ManagementProfessional services in managing processes and resources to ensure the success of a project delivery.
        • Change ManagementManage the transition in product, policy and process changes to achieve ROI in new technology adoptions.
        • >> MORE
  • Products
        • More Products >>

  • Partners
        • Partner With Us
        • More >>

  • Customers
        • Our customers
        • Customer Stories
  • Blog
  • About
        • OVERVIEW


        • About PointStarPointStar is one of the pioneers in cloud services in the region.
        • Our TeamMeet our team of cloud transformation leaders.
        • OUR PARTNERSHIP


        • Awards and AccreditationPointStar has been recognized many times for a great number of achievements.
        • JOIN POINTSTAR


        • Why Join UsWorking at our company goes far beyond just having a job.
        • CareersJob opportunities in PointStar.
        • EVENTS


        • EventsCheck out our upcoming events.
  • Contact Us
        • Contact Sales
        • Help & Support
        • Customer Service Portal
  • Shop
Search
  • Solutions
        • WORKPLACE COLLABORATION


        • Email and CollaborationIntegrated enterprise solutions for business emails, collaborations and productivity tools.
        • Meeting Room and ConferencingModern conferencing and communication solutions for future workplaces.
        • End User ComputingSecured and easy-to-manage solutions for end users to access applications and data – any device, anytime, anywhere.
        • SD-WAN, Network, Wi-FiSmart and secured cloud managed network solutions from small businesses to large enterprises.
        • CLOUD COMPUTING


        • Public And Hybrid CloudMulti-Cloud Solutions for all types of workloads securely and flexibly on pay-as-you-use model.
        • Data Cloud and AnalyticsData solutions that allows unification of data securely across organizations and platforms with intelligent insights.
        • Platform as a ServiceCloud platform solutions that provide a series of modular cloud services for application and web services.
        • API ManagementFull lifecycle API management platform as gateway for runtime management, policy governance, and usage analytics.
        • BUSINESS APPLICATIONS


        • ERP SolutionsEnterprise Resources Planning solutions to automate business process for better financial insights and internal controls.
        • CRM Solutions360 solutions to unify sales, marketing and customer service interactions for better customer engagement.
        • Digital Signature SolutionsLegally binding electronic signature solutions for documents signings and workflow approvals.
        • Document Management SystemsHardcopies digitization and documents approval solutions for enhanced business process automations.
        • EMERGING TECHNOLOGIES


        • AI ChatbotLifelike conversational AI with state-of-the-art virtual agent systems for businesses and customer service environments.
        • Machine LearningArtificial Intelligence (AI) solutions that enable data learning for predictive analysis and automated decision making.
        • IoTProtect your business from disruptions with secure and highly available cloud infrastructure.
        • >> MORE
  • Services
        • CLOUD TRANSFORMATION


        • Infrastructure ModernizationProvide flexible cloud infrastructure services from re-host to re-platform.
        • Application ModernizationProvide cloud native application development platforms and services for simplify and speedy software delivery.
        • Data AnalyticsOffer multi-cloud and cross-platform cloud analytics for data analysis and reportings.
        • Cloud MigrationMigration of workload and application from on-premises systems to cloud platform.
        • BUSINESS SERVICES


        • ConsultingImprove your operational performance and productivity, and adding value throughout the lifecycle.
        • Business Application IntegrationsRapidly builds end-to-end smart workflows to help automate digital processes.
        • Backup & Disaster RecoveryProvide centralized protection for environments and applications running on-premises and on-cloud.
        • Business Process AutomationProfessional services to assist businesses in streamlining and automating business process and re-shaping their work.
        • TECHNICAL SERVICES


        • Technical SupportCertified engineers in providing IT support services with commitment to Service Level Agreements.
        • Managed ServicesProvide expertise to manage businesses’ IT requirements for operational efficiency and faster resolutions.
        • Workplace ModernizationDesign, install and implement modern AV and communication solutions for all workplace environment types.
        • Installation ServicesProfessional services in IT installations and implementations.
        • PROFESSIONAL SERVICES


        • Training ServicesProfessional training services from our certified trainers, engineers and consultants.
        • Project ManagementProfessional services in managing processes and resources to ensure the success of a project delivery.
        • Change ManagementManage the transition in product, policy and process changes to achieve ROI in new technology adoptions.
        • >> MORE
  • Products
        • More Products >>

  • Partners
        • Partner With Us
        • More >>

  • Customers
        • Our customers
        • Customer Stories
  • Blog
  • About
        • OVERVIEW


        • About PointStarPointStar is one of the pioneers in cloud services in the region.
        • Our TeamMeet our team of cloud transformation leaders.
        • OUR PARTNERSHIP


        • Awards and AccreditationPointStar has been recognized many times for a great number of achievements.
        • JOIN POINTSTAR


        • Why Join UsWorking at our company goes far beyond just having a job.
        • CareersJob opportunities in PointStar.
        • EVENTS


        • EventsCheck out our upcoming events.
  • Contact Us
        • Contact Sales
        • Help & Support
        • Customer Service Portal
  • Shop
Home » Digital Transformation Rockstar Blog » Getting to know Kubernetes vulnerability management

Getting to know Kubernetes vulnerability management

Getting to know Kubernetes vulnerability management

Andika Pratama2020-01-03T09:44:42+08:00
Andika Pratama Blog, Kubernetes 0 Comments

When it comes to open-source software (OSS) like Kubernetes, some people get nervous not knowing the people who have worked on the code in the project. Contrary to popular belief, many OSS projects have robust security teams and rigorous vulnerability management processes, just like you’d expect to find in proprietary software. 

For Kubernetes, a dedicated Product Security Committee oversees the security response process. The Product Security Committee is a group of core maintainers, many with security-specific roles, nominated by other core maintainers and technical advisors within the community. The Committee’s role is to respond to any and all emails about a potential vulnerability, according to a documented response process. Here’s an overview.

1. Triage the disclosure 

When the team receives a disclosure, it begins investigating whether the submission is a real issue or just a bug without security implications. If the committee confirms that it’s an issue, it then leads the development and release of a patch and notifies the community. 

2. Assess the impact of the vulnerability

One key initial step is to determine a vulnerability’s potential impact. This is usually represented as a Common Vulnerability Scoring System (CVSS) score and the documented severity criteria for Kubernetes vulnerabilities. This score looks at criteria like how easily the issue can be exploited, the consequences if it is exploited, and the privileges required to exploit it. A score under 4.0 is considered low; between 4.0 and 7.0 is medium; between 7.0 and 9.0 is high and above 9.0 is critical. This CVSS score acts as a rough barometer for how issues should be prioritised and with what urgency, with the caveat that the vulnerability’s severity can vary depending on the specific Kubernetes deployment configuration and environment.

3. Generate a fix

Next, the Product Security Committee works with the relevant developers to generate a fix. If the vulnerability involves components from other open-source projects, the team works with security groups within those projects. 

There are times when a security fix can happen in the open, as part of a normal patch release. But if the vulnerability is severe enough, the patch will be developed and tested in private. At this point, only those who need to know should be aware of the vulnerability; you wouldn’t want someone with malicious intent to have early knowledge of an unpatched issue.

For fixes that follow the private release process, the release of a security patch will include an explanatory announcement to the kubernetes-security-announce community. When necessary, a retrospective or postmortem is also released to the Kubernetes community, spelling out the steps taken, response timeline and any other relevant details. 

4. Roll out the fix

The next step is to roll out notifications to certified Kubernetes distributors. Because distributors are responsible for what end-users receive, it’s important that they have the opportunity to patch early and prepare their own notifications. Like many open-source projects, Kubernetes has a private list of distributors who get embargoed security notifications; anyone who meets the criteria can sign up for these messages. 

So what does all this mean for you as a Kubernetes user

First of all, make sure your team knows about the Product Security Committee’s process. It should help anyone who’s unsure about open source security feel more confident in Kubernetes. The Product Security Committee is a robust and responsive group of Kubernetes and security experts working on your behalf, complete with an on-call rotation during working hours. 

Second, if you’re deploying a container on Kubernetes and you notice something that makes you suspect a security issue, you should notify the Product Security Committee right away, safe in the knowledge that it’ll follow a prescribed process to get to the bottom of things. For more information about when and how to report a vulnerability, check out Kubernetes Security and Disclosure Information. 

It’s also important to know your provider’s communication policies with regard to vulnerabilities. To that end, be sure you know the answer to the following questions:

  • If there’s a problem, when will my provider contact me?
  • Where are security bulletins posted for the services I’m consuming?
  • How can I find out when patches will be available for those services?
  • Where can I find information about vulnerabilities for what I run in my environment?

When appropriate, Google Cloud publishes security bulletins for Google Kubernetes Engine (GKE) and sends email notifications to affected users. GKE users should defer to the GKE security bulletins as their source of truth; it’s updated whenever a new issue is severe enough to warrant attention.

In short, as a Kubernetes end-user you should:

  • Share the Kubernetes response and reporting processes with your team
  • Report any future suspected issues through the Kubernetes disclosure process
  • Learn about your provider’s disclosure and patching policies

By answering these questions and familiarising yourself with the Kubernetes security response process, you can be an informed and confident user of open source software and ensure that your organisation is taking an active role in your container security.

Managed Container Services

PointStar provides high-performance container management services, based on Docker and Kubernetes, providing containerized application lifecycle management.

Learn More

Share this post

Facebook Twitter LinkedIn Google + Email

Author

Andika Pratama

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

POINTSTAR SINGAPORE | A CLOUD TRANSFORMATION COMPANY
PointStar Singapore is a leading cloud transformation company based in Singapore that brings businesses great solutions, with a presence across Asia including Malaysia and Indonesia. We offer cutting-edge cloud solutions like email & collaboration, video conferencing, AI chatbot, and machine learning featuring a wide range of products including Google Cloud Platform, Google Workspace, Google Workspace for Education, Google Maps Platform, Oracle NetSuite, Cisco Meraki, AppSheet, Apigee, HelloSign, and Logitech. Furthermore, we enhance these solutions with top-notch services such as infrastructure modernization, installation, change management, and technical support which means you get the best value for your investment. All because we value you as our customer. What are you waiting for? Start your transformation journey by getting a complimentary consultation from us.

Solutions

  • Email And Collaboration
  • Room And Conference
  • Public And Hybrid Cloud
  • API Management
  • CRM Solutions
  • Document Management Systems

Services

  • Cloud Migration
  • Data Analytics
  • Workspace Modernization
  • Managed Services
  • Training Services
  • Technical Support

Partners

  • Google Cloud
  • Oracle NetSuite
  • Logitech
  • Meraki
  • Freshworks
  • Microsoft

About Us

  • Our Team
  • Awards And Accreditation
  • Our Offices
  • Careers
  • Events
Copyright © 2009-2023 PointStar Pte Ltd. All Rights Reserved. Privacy Policy.
PointStar Malaysia PointStar Indonesia PointStar Consulting Alomos e-Store
Facebook Linkedin