Open source project Kyverno completed a security audit by OSTIF and Ada Logics in the fall of 2023 in continued partnership with the CNCF. This engagement was organized to be a holistic review of the Kubernetes policy engine, including threat modeling, manual code auditing, fuzzing and supply-chain review. The security experts created documentation for the project as well including a threat model discussion with figures and further security recommendations.
The audit team performed a spectrum of work during the engagement from manual review to creating three custom fuzzers for Kyverno. Detailed in the audit report is the process and findings of a manual code review, threat model, fuzzing suite review, and SLSA review as well as 6 CVEs (Notably, one CVE was found by the Kyverno team during review in a third-party dependency- it was fixed with help from Ada Logics). In total identified were 10 findings with a security impact, and 100% of those have been fixed. Ranked from Low to High severity by Ada Logics, these findings display a range of exploit scenarios possible. In a separate form of review Kyverno graded a SLSA level 3, and displayed a high level of security maturity. Auditors noted that the project’s high standards should be maintained- an important tenet of ongoing and undergoing security practices.
Engagements like this, where a project is able to undergo intense and diverse security review such that both micro and macro security implications are possible, are a healthy practice for open source projects to experience at any point in their lifecycle. Audits allow current and future security recommendations to be reported in one engagement, enabling maintainers to make fixes and improvements as soon as possible. As projects mature and refine their functions, they should aim to make security as high a priority as Kyverno has.
Thank you to the Kyverno team who worked on this audit: Jim Bugwadia, Shuting Zhao, Charles-Edouard Brétéché, and Chip Zoller for their attention, contributions, and aid in completing this audit. Thanks as well to the Ada Logics team, specifically Adam and David Korczynski, for their hard work across all aspects of the audit and related labor involved in this undertaking. Our gratitude goes finally to the Cloud Native Computing Foundation, without whom this audit and many others would not have been possible.
Read the Kyverno blog post HERE