Editor’s notice: For extra concerning the sorts of vulnerabilities Kubernetes presents and find out how to deal with them, learn our companion article in The Edge.
Since its preliminary launch in 2014, Kubernetes (aka K8s) has grow to be the usual open supply container instrument for managing software program purposes. Kubernetes is cost-effective, affords autoscaling, and may run on any infrastructure. Its advantages are why 85% of IT leaders contemplate Kubernetes “extraordinarily essential” to cloud-native methods. On prime of this, 61% of individuals use Kubernetes to handle their pc utility deployment.
Funso Richard, data safety officer at Ensemble, tells Darkish Studying that “forward-thinking organizations perceive the significance of leveraging containerized microservices to develop scalable and dependable purposes as an important digital transformation technique” — and Kubernetes has grow to be the main instrument used to realize this technique, he provides.
Nevertheless, Kubernetes additionally comes with safety challenges: It is prone to information theft, computational energy theft, and denial-of-service (DoS) assaults. Kubernetes’ public elements (corresponding to kubelets and API authentication) are extensively exploited. And risk actors goal infrastructure misconfiguration, unpatched software program applications, and poor login credentials to achieve unauthorized entry to Kubernetes. The vulnerabilities are additionally widespread. Based on Crimson Hat’s “2022 State of Kubernetes” safety report, 93% of Kubernetes customers skilled at the least one safety incident previously 12 months.
As DevOps groups proceed to grapple with rising Kubernetes safety mishaps, listed here are just a few methods to remain forward of attackers and hold cloud-native environments safe.
Securing Kubernetes With Instruments
Kubernetes’ safety vulnerability impacts its effectivity. For example, issues over Kubernetes safety triggered builders to delay utility rollouts in 2022, based on Crimson Hat. Though Kubernetes supplies a number of advantages in utility improvement and container orchestration, says Richard, insufficient safety controls expose the open supply instrument to critical safety issues like misconfiguration, privilege abuse, information exfiltration, credential compromise, exploited public-facing elements, and API vulnerabilities. To deal with these, a number of Kubernetes safety instruments have sprung up, together with Kubescape, Kube-bench, Kubeaudit, Kube-hunter, and Kyverno.
Kubescape is an open supply safety platform from ARMO to guard Kubernetes clusters with capabilities corresponding to threat evaluation, safety compliance, misconfiguration scanning, CI/CD safety, RBAC visualizer, and vulnerabilities scanning. One factor that units Kubescape aside is its library of strong capabilities that aligns with MITRE ATT&CK and NSA-CISA frameworks, says Richard.
“As I monitor Kubernetes safety choices — each business and non-commercial choices — I have never come throughout one other providing with the identical precise elements as Kubescape,” agrees Fernando Montenegro, senior principal analyst of cybersecurity infrastructure at Omdia.
Kubescape scans clusters, YAML recordsdata, and Helm charts for vulnerabilities both straight or by way of CI/CD integrations. The thought of scanning infrastructure-as-code (IaC) templates is well-popularized throughout the trade, says Montenegro. Most IaC scanning is completed for cloud assets like Amazon’s CloudFormation, HashiCorp’s Terraform, and others, with Kubernetes scanning being a extra specialised use case, he provides.
There are different choices available in the market — like Crimson Hat’s StackRox (acquired in 2021), Tenable’s Terrascan, and Palo Alto Networks’ Checkov — providing comparable capabilities as Kubernetes.
Implementing Finest Safety Practices in Kubernetes
Richard notes that adherence to cybersecurity fundamentals stays the bedrock of any safety effort. Whereas Kubescape is undoubtedly a robust Kubernetes safety instrument, he believes builders can successfully safe their Kubernetes clusters by following the fundamentals: implementing correct cluster configuration, pod safety requirements and coverage enforcement, community segmentation, vulnerability scanning, periodic coverage critiques, and safety audits. “Containers ought to run with the least privileges and solely mandatory companies, whereas role-based entry controls ought to be in place to handle person entry,” Richard says.
Whereas Montenegro says there are a number of Kubernetes finest practices for DevOps and DevSecOps groups to comply with, he notes that the next practices should be prime on their precedence record:
- Take into consideration safety early on: Collaborate along with your builders/architects to work by a correct risk modeling.
- Work with embedding safety all through the appliance lifecycle: Safety is an end-to-end course of, from offering on-the-spot safety recommendation and performance for a developer working by the code of their improvement setting, by ensuring safety assessments are half and parcel of the mixing phases, then including the required runtime protections to watch workloads in manufacturing.
- Safely retailer Kubernetes secrets and techniques: Implement options like correct namespace separation, use of role-based entry management (RBAC).
As Kubernetes grows in adoption, IT groups can keep away from safety pitfalls by utilizing instruments like Kubescape and StackRox, in addition to following the most effective safety practices for securing their crucial Kubernetes belongings.
