A systematic evaluation of CVEs and mitigation strategies for a Kubernetes stack

Abstract: Kubernetes is a container orchestration platform growing ever more popular, and as the software industry shifts into the container cloud, security will become paramount. The Common Vulnerabilities and Exposures (CVEs) systems cata- log and provide references to known vulnerabilities. The goal of this thesis is to systematically evaluate the security situation of Kubernetes through common mitigation strategies. The methodology was split into two parts; a theoretical analysis, and an ex- perimental test. Firstly, mitigation strategies were chosen and analyzed. Secondly, CVEs for Kubernetes, Nginx ingress, and containerd were analyzed. Thereafter, an evaluation matrix was developed. From this matrix, the mitigation strategies were discussed and evaluated. The findings were verified in the experimental part where Proofs of concepts for a selection of CVEs were executed against a vulner- able cluster. Thereafter, the same exploits were executed against a cluster where mitigation strategies were in place. The experiment validated the findings of the theoretical analysis for the selected CVEs. The conclusion is that the common mitigation strategies provide a foundation that can provide a foundation as a part of a larger system. They prevent some but not all CVEs and administrators should not rely on them solely. Moreover, the thesis provides a systematic way of evaluating CVEs for Kubernetes that can be expanded upon, an addition to the literature regarding Kubernetes.