-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add karmada security audit blog #785
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
40 changes: 40 additions & 0 deletions
40
blog/2025-01-17-karmada-security-audit/karmada-security-audit.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| # Announcing the results of the Karmada security audit | ||
|
|
||
| Community post cross-posted on the [OSTIF blog](https://ostif.org/karmada-audit-complete/) and [CNCF blog](https://www.cncf.io/blog/2025/01/16/announcing-the-results-of-the-karmada-security-audit/) | ||
|
|
||
| [OSTIF](https://ostif.org/) is proud to share the results of our security audit of Karmada. Karmada is an open source Kubernetes orchestration | ||
| system for running cloud-native applications seamlessly across different clouds and clusters. With the help of [Shielder](https://www.shielder.com/) and | ||
| the [Cloud Native Computing Foundation (CNCF)](https://www.cncf.io/), this project offers users improved open, multi-cloud, multi-cluster Kubernetes management. | ||
|
|
||
| ## Audit Process: | ||
|
|
||
| While Karmada is a part of the Kubernetes ecosystem and therefore utilizes Kubernetes libraries and implementations, the focus | ||
| of this particular work was on the overall security health of the custom implementations of Karmada and its third party dependencies. | ||
| Karmada’s function utilizes multiple components, CLI tools, and add ons to extend the standard Kubernetes features, which can be | ||
| customized from deployment to deployment. This makes Karmada’s attack scenarios complex, so it was necessary to perform a scoped | ||
| threat modelling in order to evaluate potential attack surfaces. Utilizing this custom threat model and a combination of manual, | ||
| tooling, and dynamic review, Shielder identified six findings with security impact on the project. | ||
|
|
||
| ## Audit Results: | ||
|
|
||
| - 6 Findings | ||
| - 1 High, 1 Medium, 2 Low, 2 Informational | ||
| - Recommendations for Future Efforts | ||
| - Proposal for Long-term Improvements to Overall Security | ||
|
|
||
| The Karmada maintainer team worked quickly and in tandem with Shielder to resolve and fix the reported issues. Their work on behalf of | ||
| the project was meticulous and mindful of users as well as relevant third-party dependencies and projects. They published necessary | ||
| advisories and alerted users as to the impact and resolution of this audit. OSTIF wishes them the best of luck on their journey to | ||
| graduated status with the CNCF. | ||
|
|
||
| **Thank you** to the individuals and groups that made this engagement possible: | ||
|
|
||
| - Karmada maintainers and community: especially Kevin Wang, Hongcai Ren, and Zhuang Zhang | ||
| - Shielder: Abdel Adim “Smaury” Oisfi, Pietro Tirenna, Davide Silvetti | ||
| - The Cloud Native Computing Foundation | ||
|
|
||
| ## References: | ||
|
|
||
| 1. CNCF (Announcing the results of the Karmada security audit): https://www.cncf.io/blog/2025/01/16/announcing-the-results-of-the-karmada-security-audit/ | ||
| 2. Audit Report: https://ostif.org/wp-content/uploads/2025/01/OSTIF-Karmada-Report-PT-v1.1.pdf | ||
| 3. Shielder: https://www.shielder.com/blog/2025/01/karmada-security-audit/ | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can link the report at the end of this blog:
You can read the Audit Report HERE
You can read Shielder’s Blog HERE
You can read the CNCF’s Blog HERE