Here is why you shouldn’t let the hole in Kubernetes codes affects your business
At the beginning of December, the Google senior staff engineer Jordan Liggitt of Kubernetes made an announcement that the Kubernetes CVE-2018-1002105 had a major security flaw in the code, leaving the software container vulnerable giving access to its API servers, the main management entity in Kubernetes.
We have discussed with our Product Director Dr Kenneth Tan about this topic to better understand the gravity of the situation and what to do in order to save your business.
Q1. What are the business risks of this security flaw?
A1: Unfortunately, the vulnerability it’s affecting all the Kubernetes based products and services particularly because it gives hackers full administrative control that cannot be easily detected. According to Jordan Liggitt, hackers requests do not show up in the Kubernetes API server audit logs or server log.
Q2. Are there any realistic methods to secure the open source container orchestration system?
A2: The major players in the market have already issued patches for their Kubernetes-based products. However, Sardina Systems believes is that operators should go a step further, to have Kubernetes placed inside the VMs which can be managed within an OpenStack environment.
With OpenStack Magnum, FishOS enables Operators in enterprises to easily provide multi-tenanted Kubernetes environments, with proven security assurances.
Running Kubernetes clusters within VMs, you can benefit of strong security segregation of VMs, as well as reliability and resilience afforded by VMs. These greater security, reliability and resilience benefits come at the price of KVM overhead, typically seen as approximately 4% of peak system performance. Is 4% too high a price to pay?
Q3. What is Sardina FishOS? How long does it take to deploy FishOS, and to transition to FishOS from another solution?
A3: FishOS provides Operators with an OpenStack and Kubernetes cloud platform with automation for each of the phases of the system lifecycle — Deploy, Operate, Upgrade phases.
To deploy FishOS, it would take just “two-cups-of-coffee” time. The full system is deployed using FishOS Deployer on bare metal, enabling broad audience of Operators to be able to confidently deploy, operate and upgrade FishOS OpenStack platforms, without dictating in-depth understanding of Kubernetes as prerequisites, while maintaining privilege segregation where it matters — at the Service Consumer level.
FishOS Deployer provides a solution to easily migrate OpenStack management services from one node to another or to flexibly upgrade or downgrade software packages.
The process of transition to FishOS is quite simple. Once the difference between the previous solution and the FishOS Solution Architecture is determined, the transition can be done using FishOS Deployer in an afternoon.