KSOC labs recently announced the release of the first Kubernetes Bill of Materials(KBOMs). KBOM is an open source standard and command-line tool that helps security teams quickly analyze cluster configurations and respond to CVEs.
The project includes an initial specification and implementation that works across cloud providers, on-prem, and DIY environments.
The initial specification in JSON provides detailed information about the different components of a cluster in addition to instances, Kubernetes objects, and container images for both internal and hosted applications.
Such information can be helpful for security and compliance teams to look at a Kubernetes cluster as a single unit and quickly identify vulnerabilities and threats without necessarily having to look at the underlying components individually.
KBOM gives a quick rundown of a Kubernetes cluster such as:
- Cluster size in terms of the workload count
- Cost and type of nodes on a cloud provider
- Vulnerabilities for Kubernetes-related components and hosted application images
- Third-party customizations and plugs such as custom resources, authentication, and survive mesh
- Version details of the platform and its components
Earlier this year, KSOC labs surveyed a group of attendees at KubeCon+CloudNativeCon Europe 2023 by asking them if they had container security, cloud posture management, and runtime security solutions and whether having a dedicated security solution for Kubernetes is needed. 97% of participants said yes.
The team at KSOC realized that even though similar standards and tools exist today as Software Bill of Materials (SBOMs) and Infrastructure Bill of Materials (IBOMs) that can help in understanding the components that make up an application and its underlying infrastructure, they don’t necessarily enable security teams to be able to analyze their clusters and respond quickly to CVEs.
By releasing KBOM, the team at KSOC would like to bring Kubernetes into the conversation concerning security and compliance guidelines.
Using KBOM, security and compliance teams can get more visibility into their Kubernetes clusters, especially third party plugins. For example, KBOM can shed some light on the most recent Kubernetes CVEs that allow privilege escalation, a sophisticated technique by bad actors to escape from an application container to the underlying host and eventually take over an entire cluster.
Some of which are projects in the CNCF landscape. For example, CVE-2023-27483 affecting crossplane, a multi-cloud control plane that leverages the Kubernetes API to provision and manage cloud infrastructure, and CVE-2023-30622 affecting Clusternet, a solution to manage multiple Kubernetes clusters on public, private, hybrid, and edge environments.
Also, CVE-2023-30513 pertains to the Kubernetes plugin for Jenkins, a Jenkins plugin that takes care of all the communications from Jenkins to the cluster regarding CI/CD pipelines.
The specification provides a foundation for the community to build on and add more information to support different use cases in the future.
KBOM was tested on all the major cloud providers, including AWS, Azure, and Google Cloud. It works on all versions newer than Kubernetes v1.19. Instructions on how to get started using KBOM are available on the project’s GitHub repository.