Check for vulnerable Kubernetes versions
Problem to solve
Software defined infrastructure provides new attack surfaces for hackers. Just as we look for vulnerable open source code libraries used by the developer, we should also look for vulnerable infrastructure components.
When using the GitLab Kubernetes integration, users could be potentitally using an outdated, vulnerable version of Kubernetes, putting them at risk.
Further details
https://www.zdnet.com/article/kubernetes-first-major-security-hole-discovered/
Proposal
The proposal is to scan the Kubernetes version currently being used to identify updates needed to install security patches. In fact, the K8 version could potentially be auto-remediated in much the same way that the secure team is looking at auto-remediation of vulnerable OS libraries.
See: https://about.gitlab.com/direction/secure/#auto-remediate and https://gitlab.com/gitlab-org/gitlab-ee/issues/5656
cc: @bikebilly @plafoucriere @danielgruesso
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)