Penetration Testing Reports
ARK undergoes regular security assessments to identify and address potential vulnerabilities in the platform. Note that as per our Disclaimer, security is the responsibility of the operator and user. However, we regularly run assessments to ensure that we enable standard K8S security approaches.
If there are questions on these topics please open an issue and we aim to reply in short-notice.
Report Overview
Penetration testing reports provide detailed analysis of security findings, recommended mitigations, and implementation status for identified vulnerabilities.
Pentest #1
- Assessment Period: July - August 2025
- Remediation Status: August 19, 2025
- Overall Risk Level: Medium-Low, remediated to Low
| Risk Level | Count | Status |
|---|---|---|
| Critical | 0 | - |
| High | 0 | - |
| Medium | 1 | Remediated to Low |
| Low | 3 | Mixed |
| Informational | 2 | Open |
M1. Overly Permissive RBAC Roles
Service accounts had excessive cluster-wide permissions.
Resolution - Partly Remediated
Cluster roles replaced with namespace-specific roles.
Some elevated permissions remain for the Ark MCP service and Ark API service to allow them to directly access the Kubernetes APIs to modify resources such as Agents.
Additional security improvements in progress.
L1. Missing Network Policies
No network segmentation between components
Resolution - Partly Remediated
Policies implemented for ark-system namespace. Default namespace will be a cluster administrator responsibility, operational guides are being updated and additional testing is ongoing.
L2. Container Security Hardening
Missing security configurations across services.
Resolution - In Progress
Privilege escalation prevention, non-root users, read-only filesystems.
L3. No Authentication Documentation for Dashboard
Dashboard and API services lack authentication documentation.
Status - Accepted Risk - Mitigated by local-only deployment design. However, optional OIDC integration is in progress.
IN1. Unencrypted HTTP
Services use HTTP instead of HTTPS.
Status - Accepted Risk
Low impact due to local deployment model. However, service mesh with cert-manager will be updated so that all traffic even in local development mode will be via SSL.
IN2. Missing Security Headers
Dashboard lacks protective HTTP headers.
Status - Open
Content-Security-Policy and security headers needed. Fix in progress.