DevOps teams started using containers and Kubernetes in test/dev environments. Over the past couple of years, their use has grown and there is significant container and Kubernetes growth in production environments as well. DevOps teams are now adopting containers across the software development lifecycle.
This leads us to one glaring question:
How secure in our shiny new Kubernetes environment?
According to a Cloud Native Computing Foundation (CNCF) survey, complexity, culture, training, and security are all challenges for organizations around containers.
In December 2018, the Kubernetes world was rocked by the discovery of the first major security flaw in Kubernetes. The vulnerability – CVE-2018-1002105 – enables attackers to compromise clusters via the Kubernetes API server, allowing them run code to perform malicious activity such as installing malware, etc.
In early 2018 researchers at security firm RedLock said hackers accessed one of Tesla’s Amazon cloud accounts and used it to run currency-mining software. The initial point of entry for the Tesla cloud breach, Tuesday’s report said, was an unsecured administrative console for Kubernetes. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock researchers wrote. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”
As organizations accelerate their adoption of containers and container orchestrators, they will need to take necessary steps to protect such a critical part of their compute infrastructure. To help in this endeavor, check out these nine Kubernetes security best practices, based on customer input, you should follow to help protect your infrastructure.
Ajmal Kohgadai from our Kubernetes security partner StackRox put out a terrific blog earlier this year that summarizes the “Top 7 Container Security Use Cases for Kubernetes Environments”. Below is a brief summary.
- Vulnerability Management: Most organizations start with vulnerability management – the challenge is to quickly move beyond the limited value provided by image scanning. Organizations must also identify vulnerabilities in Kubernetes, and they need a way to quickly pinpoint newly discovered vulnerabilities in already running deployments. Start with vulnerability management, but demand more than image scanning for this use case.
- Visibility: As the second most often-cited security use case, visibility into your container and Kubernetes environments is at the root of being able to properly secure that environment. Only when your security tooling is fully embedded into Kubernetes can you understand your cloud-native infrastructure, including images, containers, pods, namespaces, clusters, and network policies. You need insights into how each is configured and whether they’re compliant with industry standards and your internal security policies.
- Configuration Management: Misconfigurations pose the greatest security risk to containers and Kubernetes. In today’s DevOps-driven environment, configuration management must be as automated and streamlined as possible for it to not slow down application deployment.
- Compliance: DevOps moves fast and relies on automation for continuous improvement, so organizations need a compliance solution built to complement – not inhibit – the pace of business. You need to not only adhere to industry compliance requirements but also show evidence of that compliance. You should be able to show which clusters, nodes, or namespaces are compliant with all the individual controls relevant in container and Kubernetes environments from frameworks including CIS benchmarks for Docker and Kubernetes, PCI, HIPAA, and NIST SP 800-190. And it should be dead simple to run on-demand compliance checks and export evidence of compliance that meets auditors’ needs.
- Runtime Threat Detection: According to our report, runtime is the life cycle phase that customers are most worried about. The security goal in this phase is to detect and respond to malicious activity in an automated and scalable way while minimizing false positives and alert fatigue. Kubernetes offers rich declarative data around images and deployments that delivers valuable context when assessing runtime behavior. Leverage this context to more accurately differentiate between simple anomalies and true threats, and use Kubernetes-native enforcement capabilities to mitigate runtime threats in the most automated and scalable manner.
- Network Segmentation: Containers pose a unique networking challenge because containers communicate with each other across nodes and clusters (east-west traffic) and outside endpoints (north-south traffic). Kubernetes provides built-in capabilities that enable network segmentation. Leverage those native controls to ensure consistent, portable, and scalable network segmentation regardless of your CNI plugin or Kubernetes distribution. Using the segmentation inherent in Kubernetes ensures that security and DevOps see and act on a single source of truth and consistent information to restrict access and reduce the blast radius.
- Risk Profiling and Prioritization: In sprawling Kubernetes environments, manually triaging security incidents and policy violations is time consuming and prone to exacerbating alert fatigue. A better approach is to use the declarative contextual data in your Kubernetes environment to assess risk across all your deployments. Instead of looking at vulnerabilities and CVSS scores alone, understand true risk in your environment and prioritize which security issues should be fixed first. As an example, a deployment containing a vulnerability with a severity score of 7 or greater should be moved up in remediation priority if that deployment contains privileged containers and is open to the Internet but down if it’s in a test environment and supporting a non-critical app.
Following these recommendations will make for a more secure Kubernetes environment. After you follow these suggestions, you will still need to build security into other aspects of your container configurations and runtime operations. As you improve the security of your tech stack, look for tools that provide a central point of governance for your container deployments and deliver continuous monitoring and protection for your containers and cloud-native applications.
Kubernetes Security – 10 Things You Should Be Doing Webinar
Kubernetes has empowered organizations to build, deploy, and scale applications faster and more efficiently. However, if you are not actively addressing the security challenges in your Kubernetes environments, you are putting your business critical applications at risk. Whether you’re using a cloud provider’s managed Kubernetes service (EKS, AKS, GKE), a Kubernetes distribution (Red Hat OpenShift), or self-managing your clusters, you must protect your containerized applications throughout the application life cycle.
Author Bio: Joe Goldberg is the Senior Cloud Program manager at CCSI. Over the past 15+ years, Joe has helped companies to design, build out, and optimize their network and data center infrastructure. As a result of his efforts, major gains in ROI have been realized through virtualization, WAN implementation, core network redesigns, and the adoption of cloud services. Joe is also ITIL certified.