* [Blog](https://www2.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/)
* [Secure the Cloud](https://www2.paloaltonetworks.com/blog/category/secure-the-cloud/)
* Kubernetes Penetration Te...

# Kubernetes Penetration Test Report: Insights and Twistlock Response

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F08%2Fkubernetes-penetration-test%2F)  
[](https://twitter.com/share?text=Kubernetes+Penetration+Test+Report%3A+Insights+and+Twistlock+Response&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F08%2Fkubernetes-penetration-test%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2019%2F08%2Fkubernetes-penetration-test%2F&title=Kubernetes+Penetration+Test+Report%3A+Insights+and+Twistlock+Response&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2019/08/kubernetes-penetration-test/&ts=markdown)  
\[\](mailto:?subject=Kubernetes Penetration Test Report: Insights and Twistlock Response)  
Link copied  
By [John Morello](https://www.paloaltonetworks.com/blog/author/john-morello/?ts=markdown "Posts by John Morello"), [Ariel Zelivansky](https://www.paloaltonetworks.com/blog/author/ariel-zelivansky/?ts=markdown "Posts by Ariel Zelivansky") and [Adrian Chan](https://www.paloaltonetworks.com/blog/author/adrian-chan/?ts=markdown "Posts by Adrian Chan")  
Aug 08, 2019  
4 minutes  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown)  
[Twistlock](https://www.paloaltonetworks.com/blog/tag/twistlock/?ts=markdown)

This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/2019/09/kubernetes-penetration-test/?lang=ja "Switch to Japanese(日本語)")

The Cloud Native Computing Foundation (CNCF) late last year commissioned a penetration test to identify unknown security vulnerabilities and design weaknesses in Kubernetes. The [final report](https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf) is posted [in the working group's repository](https://github.com/kubernetes/community/tree/master/wg-security-audit).

When done well, penetration tests provide methods for improving software security quality. The Kubernetes test was thorough and well designed. It resulted in dozens of findings, including identification of many new vulnerabilities and recommendations that new security feature enhancements be implemented. The Kubernetes project just opened [#81146](https://github.com/kubernetes/kubernetes/issues/81146) as a single tracker to follow progress of the 37 issues that were identified.

We've received many questions about this report from our customers. Answers to the most common questions are posted below. We will update this post as more information becomes available.

1. Why was the report released prior to all issues being addressed?

-------------------------------------------------------------------

Disclosure of the report findings wasn't announced or broadly coordinated prior to its release. While the community was aware of the penetration test, full disclosure of results, including unfixed vulnerabilities, was a surprise. In the spirit of improving everyone's security, Ariel Zelivansky, who leads our research team, opened [#3982](https://github.com/kubernetes/community/issues/3982) in the community repo to discuss developing more coordinated processes for disclosure and proactive remediation going forward. Future vulnerability findings will ideally be coordinated among maintainers and vendors so there are already fixes available for vulnerabilities at the time of disclosure.

**2. Does Twistlock detect these new vulnerabilities yet?**

Our [Intelligence Stream](https://www.twistlock.com/2018/10/02/building-ultimate-cloud-native-vulnerability-feed/) consumes vulnerability data from dozens of vendors and upstream providers to build the data set used to identify vulnerabilities within each customer environment. Since this report was unexpectedly released, many of these vulnerabilities do not yet have CVEs assigned and thus many vendors have not yet had an opportunity to assess whether their distributions are vulnerable. As vendors conduct these assessments and publish their results, the Intelligence Stream will automatically pick up these vulnerabilities and enable Twistlock to detect them. Vendor analysis of newly disclosed vulnerabilities typically happens quickly, often within hours of disclosure. In this case, though, it may take a little longer for some of the lower severity findings to be evaluated and for CVE data to be published about them due to the sheer volume of the findings.

No customer action is needed. As soon as vendors publish vulnerability data, it will immediately be picked up by the Intelligence Stream and used to detect vulnerabilities in your environment.

**3. How does Twistlock protect me from these vulnerabilities?**

Twistlock includes a variety of different controls that mitigate findings in the report. Of the 37 findings, only five are rated as high impact. Of these five, one is a suggested enhancement, rather than a vulnerability. We examine those five findings below.

## **4. How does Twistlock protect against these issues?**

**hostPath PersistentVolumes enable PodSecurityPolicy bypass**

Twistlock provides two mitigations: First, our Kubernetes audit monitoring alerts on pods created with additional privileges (accessing host mounts). Second, we have a compliance rule that alerts / blocks in cases where pods are created with host mounts (this is compliance check #55 within Twistlock).

**Kubernetes does not facilitate certificate revocation**

This is the suggested security enhancement. Re-keying certificate chains is overly burdensome. The finding recommends simplifying it. While we agree that this would be a useful security advancement, it's not a vulnerability and doesn't create any direct risk to users today. As this is a suggested platform improvement, it's outside the scope of our focus as a security product.

**HTTPS connections are not authenticated**

The core risk here is the eventual access to etcd. Pods don't normally access etcd directly and as our Cloud Native Network Firewall automatically learns normal traffic patterns, we'd see and block this anomalous connection. Further, the attack requires creating a malicious kubelet, which we help customers mitigate with our Trusted Images feature that only allows software to run from approved registries and repositories.

**TOCTOU when moving PID to manager's cgroup via kubelet**

In this vulnerability, the process inside a container eventually writes to devices on the host. Our runtime defense feature already automatically detects and prevents these types of attacks. Twistlock will automatically learn that this is not normal file system access behavior and automatically prevent it.

**Improperly patched directory traversal in kubectl cp**

This is [CVE-2019-1002101](https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-1002101/5712), which Ariel found earlier this year. You can read about it in [our original blog post](https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/). The CVE involves a malicious image (which can be prevented with Trusted Images) and can be mitigated by requiring a read only rootfs, for which we provide a compliance check.

*** ** * ** ***

## Related Blogs

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Infrastructure as Code Security and AppSec: Streamlined DevSecOps From App to Infra](https://www2.paloaltonetworks.com/blog/cloud-security/infrastructure-as-code-security-and-appsec-streamlined-devsecops/)

### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### 6 Key Kubernetes DevSecOps Principles: People, Processes, Technology](https://www2.paloaltonetworks.com/blog/cloud-security/kubernetes-devsecops-principles/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### CN-Series Firewalls: Comprehensive Network Security for Kubernetes](https://www2.paloaltonetworks.com/blog/2020/07/network-cn-series-firewalls/)

### [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Announcing CN-Series: The Industry's First NGFW for Kubernetes](https://www2.paloaltonetworks.com/blog/2020/06/network-cn-series/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Analysis of Two Newly Patched Kubernetes Vulnerabilities](https://www2.paloaltonetworks.com/blog/2019/10/cloud-kubernetes-vulnerabilities/)

### [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### Kubernetes -- Vulnerable to Denial-of-Service Attacks](https://www2.paloaltonetworks.com/blog/2019/08/cloud-kubernetes-vulnerable-denial-service-attacks/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language