Vulnerabilities
New vulnerabilities and exploits are discovered and published every day. Even if you deploy an application without a vulnerability, it is just a matter of time before a new vulnerability affecting your application will emerge. Bad actors are increasingly targeting software at every layer in the stack, using vulnerabilities to install sophisticated malware and evade detection. It is therefore considered "required hygiene" for every software provider to have a "security practice" where they proactively scan all layers in the software stack for vulnerabilities and provide the means to remediate them quickly.
Operating System¶
This applies for the "qcow" and "ova/ovf" virtual appliance based form factors for managed upstream Kubernetes. With these two form factors, the Ubuntu based operating system (OS) for the Kubernetes nodes are centrally managed by the controller. Our security and operations team performs daily, automated scans of the OS using market leading vulnerability scanning tools and provides rapid remediation options for customers.
New Clusters¶
The managed OS for the cluster nodes are automatically updated and patched during cluster provisioning.
In Field Clusters¶
The managed OS for the cluster nodes are updated remotely during maintenance windows scheduled allowed by the end customer. Inbound remote access to the nodes is not required for this to be performed.
Upstream Kubernetes¶
When security updates for currently supported Kubernetes versions are available, they are quickly made available for all customers.
New Clusters¶
The patched version becomes the new default for any new clusters. For example, instead of 1.20.3, the new default becomes 1.20.6.
In Field Clusters¶
Customers are provided a notification and prompted to initiate an in-place upgrade of their clusters using the controller provided upgrade workflows.
Container Images¶
Multiple security scanners are used to perform daily security scans of container images that are deployed to managed clusters (i.e. Kubernetes management operator, managed addons that are part of the default cluster blueprint). If required, patched container images are made available.
New Clusters¶
Only the patched versions of the container images are deployed to newly provisioned clusters.
In Field Clusters¶
For existing, in-field clusters, customers are provided a notification and prompted to schedule an in-place, rolling update.
Note
Customers are responsible for scanning and remediation of their workloads and 3rd party applications they deploy to the clusters.