Software supply chain security risks surround Kubernetes

Kubernetes and cloud-native computing sit squarely in the middle of a seismic shift in the last decade toward enterprise use of open source — and all the software supply chain security concerns that come with it.

This open source shift isn’t piecemeal: Four of the 17 industry sectors represented in the 2022 edition of an annual “Open Source Security and Risk Analysis” report by Synopsys include open source in 100% of their codebases; the remaining 13 industries use open source in 93% to 99% of their codebases.

Meanwhile, since the SolarWinds attack in late 2020, a series of high-profile exploits in open source code has revealed the far-reaching cybersecurity implications of its convoluted supply chains. In late 2021, the Log4j vulnerability exposed how open source libraries wrapped up in other dependencies could be used in potentially devastating and difficult-to-detect attacks, as enterprises had trouble determining whether vulnerable libraries were present in their environments, and where.

Against this backdrop, Kubernetes itself remains a relatively safe haven because of its large, highly invested community, according to the Synopsys report. But plenty of other open source components are involved in the Kubernetes ecosystem, including small, single-developer projects, whose maintenance — or lack thereof — can leave the wider platform vulnerable.

“GitHub has millions of projects in which the number of developers is in the single digits,” according to the Synopsys report. “One of the takeaways from Log4Shell’s discovery should be the need to create a path to mitigate the business risk associated with using open source software. The important distinction here is that open source itself doesn’t create business risk, but its mismanagement does.”

Kubernetes + automated deployments = supply chain risks

SolarWinds was compromised via its CI/CD process, and other recently uncovered open source security vulnerabilities took similar advantage of automated deployment and update mechanisms that researchers tricked into deploying malicious packages.

The 2022 “Cloud Native Threat Report” published by container runtime security vendor Aqua on April 20 described one such exploit,…