This article is originally published on ContainerJournal. We are re-publishing it here.
Containers and Kubernetes adoption have been phenomenal in the last year. According to the recently published CNCF report, container adoption has jumped to 84%, with Kubernetes being adopted by 78% of respondents to orchestrate those containers. However, there are security concerns regarding containers and Kubernetes.
As StackRox’s ‘The State of Container and Kubernetes Security Report 2020″ notes, Kubernetes and container security have become pain points for technical leaders and CIOs of enterprises and companies deploying containers and Kubernetes in production.
Kubernetes Security Options
There are various ways to approach container security effectively, providing for a secure architecture and hardened Kubernetes. Here are some of them:
Kubernetes Security and DevOps
Kubernetes is part of most DevOps strategies today. If your company is “doing DevOps,” it is recommended to integrate security and address secure practices in DevOps workflows. Security tools and configurations need to be integrated into CI/CD pipelines to avoid manual configuration; in fact, automating configuration management tasks will reduce or eliminate the biggest reasons for unsecured Kubernetes architecture: misconfiguration and human errors.
PodLevel and Node-Level Security
Kubernetes needs to be hardened at both the pod and node levels. The PodSecurityPolicy specification is present in the Kubernetes repository to address pod-level security concerns and tighten access to containers. At the node level, best practices need to be followed to restrict unauthorized access.
Communication Channel Between Containers
Communication between containers within clusters is often where data can be leaked to an external threat. The use of VPNs is one of the methods to use within the Kubernetes cluster for end-to-end communication. One way to achieve this is to hide the Kubernetes API server behind the VPN. This allows containers to access the internet without exposing an API server to an external threat.
But the use of service meshes is a preferred way, creating a network layer that encrypts the data, controls the flow of data and enables secure communication within containers. Defining network policies for network traffic to and from containers is another practice that can prevent an attacker to traverse through the cluster.
Authorization at Each Component Level
Many IT systems and applications are compromised due to bypassing the authentication mechanism, obtaining user access privileges and performing malicious activities to steal the data or break down the target. A Kubernetes environment is no exception to such attacks. Attackers can get into K8S infrastructure from containers and nodes to access the rest of the containers as well as the API server and etcd that sits at the control plane of the master node. Kubernetes supports role-based access control (RBAC), which strengthens the authorization at each level of clusters. If you want to harden authorization, you must configure RBAC with all configuration attributes at each level.
Managed Kubernetes
Lack of skills and human error in misconfiguring Kubernetes can be the biggest roadblock for Kubernetes adoption, as it increases the chances of having less secure clusters. Companies that need containerization are instead choosing managed Kubernetes solutions to run their containerized workloads. Managed Kubernetes platforms are offered by both leading public cloud providers and independent managed solution providers. The advantage of using managed solutions is that a dedicated team will tap on security issues and address them for all their customers with the help of automated management platforms.
Kubernetes Security Platforms
Various security platforms addressing Kubernetes security have been developed over the last couple of years. Organizations and enterprises have a choice to either go with managed Kubernetes or choose a platform or integrated solution to protect Kubernetes clusters.
Conclusion
We discussed above the key factors that are crucial in the process to harden the Kubernetes clusters. With these insights, I hope technical leaders will get direction toward protecting their Kubernetes environment. Many detailed technical aspects, use cases and market overview are included in Calsoft’s recently released eBrief on Kubernetes security.