Auditing 1.5 million lines of code is a heroic undertaking. With resources provided by the Cloud Native Computing Foundation (CNCF), the Kubernetes Project leadership created the Security Audit Working Group to perform an audit in an open, transparent, and repeatable manner, while also paving the way for future Kubernetes security reviews and research. It included members from Google, Red Hat, Salesforce, InGuardians, and input from the broader security community.
We felt that the two most critical components of this project were developing a process for vendor selection and determining the shape and deliverables the audit would produce.
From the start, we knew that no matter how many person-months we allocated to this initiative, or how many dollars were provided, we would be unable to perform a completely comprehensive review of Kubernetes in one go. That’s why we focused on work that would improve the quality and speed of the next audit or the next independent researcher. That doesn’t mean we didn’t want to find a bunch of novel bugs, though!