Hello and welcome to the Tuesday, January 3, 2020,

edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich,

and then I'm recording from Jacksonville, Florida.

Container security company Armo is warning of vulnerability in Coverno.

Coverno is what's often called an admission controller for Kubernetes, and what essentially

does is it checks if a particular image that you're loading in your Kubernetes cluster is safe to run.

So the basic workflow with this admission controller is that if Kubernetes is being asked

to run a particular workload, the admission controller is asked to verify if the workload

is safe to run.

In order to do this, the admission controller will go to the container registry, retrieve the payload, and then basically check.

Does the signature workout?

And is it safe?

Well, and then it basically gives the OK to Kubernetes to download that image.

The problem here is that one of the scenarios is that NetHacker actually is controlling this registry,

which is one of the reasons why we want something like the admission controller.

And if NetHacker is in charge and controlling the registry, well, they could very well provide

one image to the admission

controller and then a different image to Kubernetes to actually run.

The fixed switch has been deployed already by Coverno in version 183.

It does make sure that the hash of the image that was verified is the same as the hash of the

image that actually was retrieved by Kubernetes, so that way the attacker can't swap out these

images.

...