Virtualization Technology News and Information
Eradicating Kubernetes Misconfigurations One YAML at a Time: A VMblog Q&A with Viswajith Venugopal, StackRox Ahead of KubeCon 2020


Ahead of KubeCon 2020, VMblog caught up with Viswajith Venugopal, Staff Software Engineer at StackRox. 

VMblog:  Leading up to KubeCon 2020, StackRox released a new open source tool to identify misconfigurations in Kubernetes deployments called KubeLinter.  Could you tell us about it?

Viswajith Venugopal:  If you've spent time crafting Kubernetes YAML files, you know it can be a pretty arduous endeavor -- there are so many different objects, so many knobs and dials, so many cross-references to keep track of. Further, in most cases, default configurations for Kubernetes objects are geared towards making it easy for users to get their apps up-and-running quickly, and not for secure, production-ready configurations.

KubeLinter is our answer to this problem. It enables users to run static checks against Kubernetes YAML files and Helm charts, leveraging a deep understanding of Kubernetes to help users enforce that applications deployed into their clusters follow best-practices for security and production readiness.

VMblog:  Why create this tool as an Open Source project?

Venugopal:  The idea for this tool came out of a need we felt at StackRox. The existing open source solutions didn't do what we needed, so we knew there was a gap that KubeLinter could fill -- and we were thrilled to contribute to the thriving Kubernetes open source ecosystem that we, and so many others, benefit from. Further, we strongly believe that open sourcing any piece of software will result in it becoming better -- and this is especially true for a linter, where a wide and diverse base of users and contributors can help us add and curate checks, and craft the best user experience.

VMblog:  How does it benefit the Kubernetes and cloud-native communities?  Who is the ideal user?

Venugopal:  It benefits the communities by helping developers to craft production-ready YAML files more easily, and with less of a learning curve, and enabling cluster operators to ensure that best-practices are followed in their organization right from YAML-writing time. KubeLinter is aimed at both individual developers and cluster operators.

VMblog:  Policy enforcement has become an important issue for both performance and security, how does KubeLinter support that?

Venugopal:  KubeLinter operates on configuration files that are treated as code, and is very easy to integrate into CI systems such as Jenkins, GitHub Actions and CircleCI. Organizations that want to enforce policies for performance and security can integrate KubeLinter into these systems to ensure that developers don't merge non-compliant code.

VMblog:  How does this play into DevOps/DevSecOps efforts and the leftward shift of security?

Venugopal:  Most DevOps/DevSecOps teams favor the approach of treating infrastructure and configuration as code -- it offers a lot of advantages, including the ability to shift security enforcement all the way left, to the level of code. KubeLinter enables users to do this for Kubernetes configurations.

VMblog:  How does KubeLinter facilitate security-as-code and why is that important within the context of cloud-native adoption?

Venugopal:  KubeLinter runs on YAML files, and is configured and run in CI systems. This makes it a great fit for cloud-native applications, since it plays well with how they are typically deployed in practice.

VMblog:  What are some of the security best practices that developers should follow?

Venugopal:  This could be a whole series of articles of its own, but some major ones are: give your containers the minimal privileges they need, avoid running as a root user, use a read-only root file system, ensure your images are stripped of package managers and other tools that you don't need but could aid attackers, and make correct use of built-in Kubernetes controls like RBAC and network policies

VMblog:  How have early users responded to KubeLinter?

Venugopal:  So far, people have told us they like the core functionality, and given us a lot of helpful suggestions and feature requests!

VMblog:  What comes next for the project?

Venugopal:  We're just getting started! The biggest thing we want to do is to add more checks, and get to a place where we have curated lists of checks that users can choose from depending on their needs. We also have some fun stuff planned including automatic rewrites, more flexible configuration options and allowing users to write custom hooks into our tool.


To learn more about containerized infrastructure and cloud native technologies, consider joining us at KubeCon + CloudNativeCon NA Virtual, November 17-20.

Viswa is a Staff Software Engineer at StackRox, where he spends time building tools that help users manage Kubernetes clusters and applications easily and securely. In addition to being the lead engineer on KubeLinter, an open-source tool to lint Kubernetes configurations, he has also worked extensively on the StackRox Kubernetes Security Platform, the first commercial Kubernetes-native security platform.
Published Thursday, October 22, 2020 7:36 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2020>