CRA for Kubernetes Platforms
If you sell a Kubernetes-based platform β whether a distribution, managed service, or enterprise product β the CRA applies to your entire stack. Hereβs what needs attention.
Your CRA Attack Surface
Your Kubernetes Product:
βββ Container Runtime (containerd/CRI-O) β Class II (EN 304 635)
βββ Linux Kernel/OS β Class I (EN 304 626)
βββ Networking Stack (CNI) β Potentially Class I (EN 304 625)
βββ Ingress/Gateway β Potentially Class I
βββ Security Components β Potentially Class II
βββ Management UI β Default Product
βββ CLI Tools β Default ProductThe Manufacturer Question
You are the manufacturer if you:
- Package and distribute the Kubernetes platform
- Place it on the EU market under your brand
- Provide commercial support
Even if 90% of your platform is upstream open source, YOU are responsible for CRA compliance of the complete product.
Key Compliance Areas
1. SBOM for the Entire Stack
# Generate SBOMs at every layer
# OS layer
syft registry.internal/platform-os:latest -o cyclonedx-json > os-sbom.json
# Kubernetes components
syft registry.internal/kube-apiserver:v1.32 -o cyclonedx-json > k8s-sbom.json
# Your application components
syft registry.internal/platform-console:v4.0 -o cyclonedx-json > console-sbom.json
# Merge into a single product SBOM
cyclonedx merge --input os-sbom.json k8s-sbom.json console-sbom.json --output product-sbom.json2. Vulnerability Response Across Layers
class KubernetesPlatformVulnHandler:
UPSTREAM_SOURCES = {
"kubernetes": "https://kubernetes.io/docs/reference/issues-security/",
"containerd": "https://github.com/containerd/containerd/security",
"linux": "https://www.kernel.org/category/releases.html",
}
async def handle_upstream_cve(self, cve):
# Determine which layer is affected
layer = self.identify_affected_layer(cve)
# Check if we've integrated the affected version
our_version = await self.get_bundled_version(layer)
if self.is_affected(our_version, cve):
# Start CRA reporting clock if actively exploited
if cve.is_exploited:
await self.start_enisa_reporting(cve)
# Build patched version
await self.trigger_patch_build(layer, cve)3. Security by Design for Platform Components
# Pod Security Standards (enforce on your platform pods)
apiVersion: pod-security.admission.config.k8s.io/v1
kind: PodSecurityConfiguration
defaults:
enforce: restricted
enforce-version: latest
audit: restricted
audit-version: latest
exemptions:
namespaces:
- kube-system # Platform components may need elevated privilegesPractical Steps
- Map your components to CRA classifications
- Identify your manufacturer role β are you the entity placing the product on the market?
- Build layered SBOMs β OS, runtime, K8s, your code
- Monitor ALL upstreams β Kubernetes, containerd, Linux kernel CVEs
- Document your security architecture β CRA requires technical documentation
- Plan for third-party assessment β Class II components may require it
Building a Kubernetes platform for the EU market? I help organizations navigate CRA compliance. Get in touch.