Posted on January 16, 2025

CNCF projects highlighted in this post

Karmada logo

Community post cross-posted on the OSTIF blog by Helen Woeste, Communications Manager, the Open Source Technology Improvement Fund

OSTIF is proud to share the results of our security audit of Karmada. Karmada is an open source Kubernetes orchestration system for running cloud-native applications seamlessly across different clouds and clusters. With the help of Shielder and the Cloud Native Computing Foundation (CNCF), this project offers users improved open, multi-cloud, multi-cluster Kubernetes management.

Audit Process:

While Karmada is a part of the Kubernetes ecosystem and therefore utilizes Kubernetes libraries and implementations, the focus of this particular work was on the overall security health of the custom implementations of Karmada and its third party dependencies. Karmada’s function utilizes multiple components, CLI tools, and add ons to extend the standard Kubernetes features, which can be customized from deployment to deployment. This makes Karmada’s attack scenarios complex, so it was necessary to perform a scoped threat modelling in order to evaluate potential attack surfaces. Utilizing this custom threat model and a combination of manual, tooling, and dynamic review, Shielder identified six findings with security impact on the project. 

Audit Results:

The Karmada maintainer team worked quickly and in tandem with Shielder to resolve and fix the reported issues. Their work on behalf of the project was meticulous and mindful of users as well as relevant third-party dependencies and projects. They published necessary advisories and alerted users as to the impact and resolution of this audit. OSTIF wishes them the best of luck on their journey to graduated status with the CNCF.

Thank you to the individuals and groups that made this engagement possible:

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact amir@ostif.org.