The Cloud Native Computing Foundation continues to grow. In the last quarter, 58 companies have joined. As usual, the group of freshly-minted members that vary enormously in size. In addition, the CNCF has announced the results of a security audit conducted on Kubernetes 1.24.
The new members joined on a so-called Silver basis. This means they are required to make a smaller annual contribution than Platinum and Gold members. The globally known Lenovo and Cognizant have joined the group alongside smaller outfits from across the world.
Founded in 2015, CNCF helps spread open-source projects intended for cloud-native applications. It gives developers a chance to mature their projects step by step, giving these applications time to become reliable and commercially deployable. A project begins at the Sandbox stage, where it is not yet considered fully stable. Incubating and Graduated projects are considered ready to go to market.
To be admitted under the wings of the CNCF, developers must meet a number of requirements. These include accepting a Code of Conduct and clearly communicating version updates. Currently, more than 150 projects are active at various stages.
CNCF is closely associated with Kubernetes. The group let the British cybersecurity expert NCC Group take a look at version 1.24 of Kubernetes through a security audit. This involves comprehensively examining a computer system for security weaknesses. Meanwhile, the platform recently announced the upgrade to version 1.27; the audit was therefore completed by the summer of 2022.
NCC discovered a number of problems with this variant of Kubernetes. First, the company deemed the administrator experience confusing in terms of restricting permissions for users and networks. In addition, there were loopholes in the inter-component authorization systems of Kubernetes. By exploiting these, a rogue actor could even work himself up to act as a cluster-admin. Once a malicious actor got into that position, that person could hide behind other weaknesses in the logging and auditing system. Finally, there were a number of ways to bypass authorization. According to NCC, these were the only vulnerabilities that posed a significant risk to users.
Also read: The State of Kubernetes in 2023