Kubernetes Security in Four Straightforward Steps
The popularity of Kubernetes (K8s) is undeniable, and with good reason. The platform delivers speed and portability, not to mention the ability to leverage flexible cloud native architectures. A recent survey revealed that 87% of organizations use K8s to manage at least a portion of their container workloads, but an astounding 94% of those organizations also reported serious container security issues over the last 12 months. This latter statistic points to the challenge with K8s, and all container solutions for that matter. Simply put, there are a lot of moving parts. Images, applications, infrastructure and more increase your attack surface and present very real opportunities for costly and catastrophic security breaches.
Accurics is here to ensure organizations have the best practices and practical approaches in place to achieve full Kubernetes security. In order to accomplish this, it is critical to pay particularly close attention to four security tiers: process, containers, connections, and runtime. This blog explores each of these tiers and offers both proactive and reactive steps to help you establish and maintain a well-rounded, robust approach to K8s security.
Secure the Development Process
The dynamic nature of the K8s environment means that security planning needs to start long before development does. Defining, at least in loose terms, what type of information the application will handle can inform your security policy and determine how it will be used in development to reduce risk before applications are deployed. Manual administration is logistically impossible so codifying your infrastructure is the solution, and that’s where IaC and PaC come into play. K8s configurations are a form of Infrastructure as Code (IaC), while Policy as Code (PaC) codifies your policies – and those policies include the linting rules for your IaC. Both IaC and PaC work well in cloud native environments and deliver the consistency and velocity you need. PaC can and should be utilized throughout the development process but the degree to which you implement security controls is flexible and likely defined by your organization. PaC can be used with proactive security controls, identifying violations so you can fix them prior to deployment. It can also be used with reactive controls, mitigating violations in runtime or providing critical visibility around weak spots and security risks. The goal here is to define a reasonably stringent security policy and consistently enforce it throughout development, from design to deployment.
Secure the Kubernetes Container Images
The second tier is securing the containers within which the apps run, which involves securing the images used by the containers as well as securing how these images are pulled and used at runtime. In addition to considering whether your application has vulnerabilities, you must also look at the configuration of the image, the context within which the application runs. Securing images used by containers requires a scanning tool to identify internal vulnerabilities as well as those that exist in external sources leveraged by the applications. This scanning capability is not a feature of K8s so it is important to leverage a tool such as Clair to identify container configuration issues. Doing so allows you to enforce secure configuration rules at build and deploy time, as well as embed reactive capabilities to bolster runtime security.
Secure the Kubernetes Connections
In the K8s environment pods must maintain connections with the controller and other pods. This brings with it opportunities for malicious infiltration. It is not enough to secure the components of the system; you must also secure connectivity between the components. K8s has access control features, but they must be enabled and configured to enforce least privilege policies. Defining appropriate roles and access controls will improve the security of your cluster and ensure that full rights are given only to authorized users. As with container images, it is helpful to utilize an outside tool such as Terrascan to enforce best practices such as web connection encryption and access controls on databases. An added bonus is that leveraging data codified in the IaC will give your security team the information it needs to assess and secure environments well in advance of deployment. Security as Code, which takes PaC to the next level, offers another layer of defense. Security as Code can be used to detect breach paths through pre-deployment assessments as well as enable the runtime to identify and respond to violations in the event of an actual attack.
Secure the Kubernetes Runtime
This brings us to the fourth tier; securing the runtime. You laid the foundation through threat modeling and security policy work in the previous three tiers. Now it’s time to enable the runtime to protect itself by focusing on three key areas:
- Control plane: The control plane, including web hooks and privileged services, offers a great opportunity for hackers to introduce malware and destroy your environment. Establish a security policy for your control plane components and enforce it with Policy as Code tools such as Terrascan’s admission controller.
- Inter-service and inter-pod communications: Service meshes and Cloud Workload Protection Platforms (CWPP) are valuable tools to help you establish security around coordinated communication between cloud native apps and monitor traffic inside and outside the cluster. K8s apps constantly adjust and shift after deployment, and while the controls you established in development will ensure compliance at deployment, it’s important to make sure runtime changes are codified back to the IaC. These Drift as Code capabilities not only detect drift from the baseline IaC, they can submit pull requests to codify compliant changes into the IaC, ensuring your IaC remains your source of truth.
- Workloads: Workload vulnerabilities can appear at runtime so it is important to assess the runtime continuously. Removing any vulnerabilities is generally the best fix but that can take time so it’s important to be proactive and have a mitigation plan in place before you need it. CWPP solutions offer reactive security controls or you can utilize observability features in your components, in tandem with SecOps tools like SOAR, to deliver insight into security posture.
With the numerous benefits offered by K8s, Accurics believes that its popularity will continue to rise. That is why it’s critical to be vigilant about protecting networks and applications from security breaches and attacks. By focusing on the four aforementioned tiers, organizations can proactively mitigate threats and establish reliable reactive controls, all to maintain compliance while leveraging the full power of the K8s solution.
To learn more about securing Kubernetes clusters, I invite you to download a copy of our Kubernetes security whitepaper, 4 Steps to Achieving Comprehensive Kubernetes Security.