Kubernetes: A Dilemma in the Geopolitical Tech Race
Publication: China Brief Volume: 24 Issue: 17
By:
Executive Summary:
- US-sanctioned Huawei has significant influence in the Cloud Native Computing Foundation and its open-source platform Kubernetes, which underpins US military platforms, including F-16 fighter jets and nuclear infrastructure.
- The use of open-source technologies in critical systems raises concerns. Despite US efforts to mitigate risks, Kubernetes remains tempting to exploit for attackers.
- Open source fosters global innovation, from which the United States benefits. But this same openness also strengthens US competitors. The United States should therefore develop a clear framework to understand and mitigate the challenges posed by open source.
To date, open-source technologies have remained an area of cooperation between the United States and the People’s Republic of China (PRC). This comes despite worsening geopolitical tensions that have impacted or even severed cooperation in other technological domains. Kubernetes, an open-source platform, presents an unusual case of cooperation. It has been widely adopted not just in commercial industries but also in sensitive areas like US military systems. It is even used in F-16 fighter jets and nuclear infrastructure. On the PRC side, tech giants like Huawei that face sanctions from the United States, are major contributors to the platform and beneficiaries of its development.
While open source offers advantages over closed source systems, its use in critical systems and by US competitors are not without risks. The presence of state-affiliated companies from the PRC in the management and built environment of Kubernetes compounds those potential problems. Given the platform’s centrality and widespread use, however, it is unlikely to be replaced by an alternative any time soon. This suggests that risks surrounding Kubernetes’s use will need to be managed carefully.
Kubernetes Underpins Global Software Companies
Kubernetes, often called K8s, is an open-source platform developed by Google and now managed by the Cloud Native Computing Foundation (CNCF). CNCF also holds the trademark for Kubernetes. The platform is analogous to a highly efficient orchestral conductor. It automatically configures, coordinates, and manages containers—small, isolated environments for running applications. To extend the analogy, containers are akin to individual musicians, each playing their discrete part. Kubernetes ensures that the containers all perform in harmony, whether the “orchestra” is running in the cloud, a private data center, or both (Mirantis, last accessed August 16; Google Cloud, accessed August 19). If a container fails, Kubernetes steps in and quickly replaces it without interrupting the performance. This enables applications to run reliably and efficiently across different environments, whether they are small internal apps or massive AI workloads, such as those seen in the finance, telecommunications, and healthcare industries.
Kubernetes has a wide range of use cases. It is common in multi-cloud environments, making applications portable across cloud providers like Amazon, Azure, and Google Cloud. Major international platforms such as Spotify and Adobe have also migrated their services to Kubernetes in recent years (Altoros, May 18, 2021, September 27, 2021). As of this year, it is used by over 50,000 companies globally, 60 of whom depend on it to manage their cloud infrastructure (Bacancy, June 18). Its versatility and ability to streamline operations make it a backbone for digital infrastructure, powering everything from basic web services to advanced machine learning applications.
The Pentagon’s Embrace of Kubernetes
The US Department of Defense (DoD) has integrated Kubernetes into its software modernization strategy. This includes deploying it in mission-critical environments such as managing the software for F-16 fighter jets. the US Air Force’s Chief Software Officer from May 2018 to October 2021, has applauded Kubernetes and led 37 teams within DoD that built applications on top of the system. In a 2020 interview with CNCF, Chaillan said, “We have teams doing this at every side of the weapons systems, from the space systems to the nuclear systems to the jets” (CNCF, May 5, 2020, May 7, 2020). Kubernetes also enables rapid updates, secure management of systems, and scaling of computational resources during missions—capabilities that are crucial for modern military operations.
The DoD has made Kubernetes a critical component of its DevSecOps strategy, a modern approach that enables agile and secure software delivery. The use of Kubernetes offers advantages, such as the ability to implement immutable infrastructure, continuously reconcile system configurations, and manage multi-cluster environments effectively (DOD, March 2021). These features help DoD in navigating the complex environments of disconnected, tactical, and highly secured networks, where cloud-native operations must be resilient against near-peer threats. Kubernetes provides the flexibility to securely manage distributed applications, even in constrained environments.
PRC Firms Involved in Kubernetes’s Governance
PRC tech companies are heavily involved in the development and shaping of Kubernetes’ built environment. CNCF, as the governing body behind Kubernetes, promotes the growth and sustainability of cloud-native technologies. Its mission is to build and maintain a robust ecosystem for the technologies it hosts, which involves a global community of contributors, including large corporations like Huawei and Alibaba. Both firms hold “Platinum Membership” within CNCF, the highest tier available. Kevin Wang, lead of Huawei’s cloud-native open-source team, also serves on the CNCF’s technical oversight committee (CNCF, accessed August 16). This allows them significant input into the direction and governance of Kubernetes and other cloud-native technologies (CNCF, accessed August 16).
Huawei and Alibaba’s influence within CNCF may enable them to shape the technology in accordance with their own interests. Chris Aniszczyk, the Chief Technology Officer of CNCF, has stated that the PRC has contributed more to CNCF projects than any other country or region outside the United States between 2023 and the organization’s founding in 2015. In total, the PRC has accounted for 9 percent of contributions in all time and 20 percent of current foundation’s project (ComputerWeekly, August 22; CNCF, last accessed August 16). He further pointed out that many leading open-source projects in China originate from companies aiming to expand internationally by contributing to the CNCF (ComputerWeekly, August 22).
Meanwhile, Huawei’s Chief Software Architect and Community Director for Open Source, Hou Peixin (侯培新), has claimed that Huawei is now the biggest contributor to the Kubernetes community. He believes that the more Huawei contributes, the greater the benefits they receive will be (Kubernetes, last accessed August 16). Hou has stated that Huawei’s adoption of Kubernetes led to substantial improvements in company’s efficiency, cutting operating expenses by 20-30 percent and thereby spurring greater investment in the technology (Kubernetes, last accessed August 16).
Over the years, Huawei has claimed that it has participated in Kubernetes’ steering committee and in more than ten special interest groups to guide the project, including federation, architecture, and resource management and container policy. Huawei was also one of the first companies to receive the Kubernetes Certified Service Provider (KCSP) certification (Huawei, October 30, 2017). Huawei also plays a significant role in driving KubeEdge, a project that enables the effective use of Kubernetes in edge computing, aimed at enhancing the operation of critical infrastructure and satellite systems in China (KubeEdge, accessed August 16).
However, it is not the only prominent PRC firm involved. ByteDance, whose subsidiary TikTok has raised national security concerns in the West, employs an individual who acts as one of four principal organizers of the Kubernetes Serving Working Group, which works to enhance Kubernetes’ support for AI inference serving (Github, last accessed August 16). The existing Kubernetes Steering Committee, responsible for the project’s governance and oversight, also includes members from DaoCloud, a leading PRC cloud service provider that plays a crucial role in advancing Kubernetes’s implementation and governance, particularly in the cloud-native ecosystem (Github, last accessed August 16).
PRC Policy Seeks to Exploit and Harness Open-Source Technology
The PRC has made open-source technology a focus of its innovation policy. In March 2021, the PRC’s 14th Five-Year Plan became the first to explicitly reference open-source technology. This underscored the government’s commitment to fostering open-source communities to drive digital innovation (Xinhua, March 13, 2021). The PRC aims to elevate its status from a “major open-source player (开源大国)” to a “strong open-source nation (开源强国).” This is a vision articulated by Ni Guangnan (倪光南), a prominent scientist at the Chinese Academy of Engineering (Shanghai Observer, May 27, 2023). This strategy dovetails with the PRC’s broader ambition of becoming self-reliant in critical technologies, reducing its dependence on foreign software, and potentially using open-source tools for both commercial and military purposes (Reuters, May 30).
Meanwhile, the PRC’s intelligence community has been systematically studying and exploiting loopholes in open-source technologies such as RISC-V (see China Brief, December 15, 2023; May 24). It has also been leveraging open-source technologies’ openness to weaponize them against the United States (CISA, August 20, 2021). For instance, state-sponsored organizations like advanced persistent threat groups (APT) APT27 and APT41 have specifically targeted Linux vulnerabilities in cloud services and enterprise systems (TechMonitor, March 2, 2023; Google Cloud, August 7, 2019). These groups often manipulate open-source projects, inserting malicious code or exploiting known flaws before they can be patched.
The PRC’s military sector has also discussed the potential of leveraging Kubernetes. In 2023, experts from China Electronics Technology Group’s (CETG) (中国电子科技集团) 28th unit published a research paper detailing the development of a military-grade intelligence annotation system that leverages machine learning and Kubernetes to enhance the efficiency of handling large volumes of data [1]. CETG’s 28th unit is the sole domestic research unit capable of managing joint operations and developing, maintaining, and servicing command systems for all the PLA’s military branches and theater commands. (Sohu, August 2)
In the commercial domain, Huawei has been leveraging Kubernetes to strengthen its cloud capabilities and expand global footprints (Outh, August 28; Volcano, last accessed August 16). Recently, Huawei’s cloud services have expanded across the Middle East and Central Asia. In total, it has a presence in over 170 countries worldwide (EastMoney, June 20; Huawei, November 7, 2023). At the Huawei Cloud Summit Egypt 2024, Huawei became the first global provider to launch a public cloud node in Cairo, positioning Egypt as a digital hub for North and Central Africa (Huawei, May 22). The company entered the Russian market in 2018, becoming the country’s first public cloud provider from the PRC and quickly solidifying its leadership through localized services and compliance expertise (FromGeek, March 22, 2019).
The US government has raised concerns that relate to cloud services. These are based on fears that interconnected cloud services could enhance the PRC’s capabilities in areas such as AI training and potentially sensitive technologies like nuclear systems (Outh, August 28; AsiaTimes, July 19; The New York Times, June 21, 2023). As the PRC successfully harnesses Kubernetes and other open-source platforms to strengthen its cloud capabilities, this could undermine the efficacy of current US export controls aimed at delaying the PRC’s technological advancement.
US Government Persists but Mitigates Risks
Both the public and private sectors increasingly rely on Kubernetes, which has turned the platform into a critical piece of global software infrastructure. As its role grows, so does its appeal as a target for attackers seeking to disrupt international supply chains through large-scale cyberattacks.
Russia’s military has targeted Kubernetes as well. The Kremlin’s military intelligence agency, the Main Directorate of the General Staff (GRU), was found to have used a Kubernetes cluster to conduct large-scale brute-force attacks targeting US government systems, including those of the DoD between 2019 and 2021 (NSA, July 2021).
Governments are nevertheless drawn to Kubernetes as it offers undeniable advantages in managing complex, large-scale applications. However, this does not necessarily make it the wisest option for underpinning advanced weapons systems. Research has exposed further risks posed by an overreliance on Kubernetes. In 2023, PRC researchers published a paper on the risk presented by third-party add-ons with excess permissions in Kubernetes environments. They demonstrated that one-third of such apps in CNCF have security risks. They also discovered that the Kubernetes services of the top four cloud vendors are vulnerable to these type of permission attacks. For reporting these issues, the researchers received a bounty from Google—standard practice in the open-source community to incentivize the discovery of vulnerabilities in order to patch them (DL, November 21, 2023).
Earlier this year, Microsoft discovered a critical flaw in Azure Kubernetes Services (AKS) (Microsoft, April 17). Attackers were able to elevate their own privileges and access sensitive credentials, potentially leading to severe data breaches and financial losses. In August, Google discovered that an attacker with access to a vulnerable Azure Kubernetes Services cluster could grant themselves elevated privileges and retrieve credentials for other services in the cluster. Similar attacks in the future could lead to further data theft, financial loss, and other serious impacts (Google, August 19).
US programs and policy guidelines such as the Cybersecurity & Infrastructure Security Agency’s (CISA) Open Source Software Security Roadmap 2023 and the National Security Agency’s Kubernetes Hardening Guidance also focus on mitigating risks in this way (CISA, September 12, 2023; NSA, March 15, 2022). CISA’s roadmap highlights the federal government’s role in enhancing open-source security, outlining strategies such as reducing risks to critical infrastructure and establishing visibility into software usage. Similarly, following the Russian GRU’s brute-force attacks on US systems via Kubernetes, the NSA’s guidance proposes security measures for Kubernetes environments such as scanning for vulnerabilities, enforcing strict authentication, and implementing network segmentation. It remains to be seen how effective these measures are.
As Google cybersecurity subsidiary Mandiant contends, “Kubernetes can be difficult to harden” (Mandiant, August 19). Incidents where Kubernetes has been found vulnerable serve as a reminder that even sophisticated, well-developed open-source systems are not immune to security breaches.
Conclusion
The openness that fuels innovation and benefits nations can also expose them to security risks. The US government has begun to investigate the risks of PRC’s use of open-source technologies, beginning with RISC-V, an instruction set architecture for chips (Reuters, April 23; for more on RISC-V, see China Brief, December 15, 2023). The rise in Kubernetes’s prevalence and the close involvement of entities linked to the PRC with the CNCF suggests that these investigations will continue. The more government systems rely on open source tech, the more politicized the technology is likely to become, as the suspension of Russian developers working for sanctioned companies by GitHub in 2022 indicates (Bleeping Computer, April 16, 2022).
There are no easy answers to the problems that open-source technologies pose in an era of geopolitical competition. Governments will have to continue to weigh the benefits of the technology against the potential risks, and then to compare that against alternative, closed-source systems, especially in critical and sensitive systems. While there is no suggestion that Kubernetes will become any less central, it is necessary that increased attention be paid to how open-source platforms represent a double-edged sword for both the United States and its rivals. As technology evolves, so too must the frameworks for understanding and managing subsequent risks.
Notes
[1] Chen, Mengmeng. “Design and Implementation of Intelligent Annotation System in Field of Military Public Opinion.” Industrial Control Computer, vol. 4, 2023, pp. 125-128.