Virtualization Technology News and Information
Recommendations for Reducing Risk in Kubernetes Clusters

By Ben Grissinger, Cloud-native Security Expert, Tufin

The continued adoption of Kubernetes (K8s) in the enterprise is largely due to its increased security capabilities and the ability to maintain speed and agility throughout development processes. In the 2021 Flexera State of the Cloud Report, a recent survey of 750 global technical professionals reports that 48% are currently using Kubernetes within their organization and an additional 25% intend to do so.  With nearly ¾ of these organizations seeking to implement or continue use of containers, it is important to look at how this changes security consideration. It is very clear that new rules need to be written. Legacy approaches are woefully insufficient when it comes to secure development on Kubernetes.

As you look to secure your Kubernetes clusters, there are several considerations before releasing your work into production. The guidance below is in no way comprehensive, but does provide several requirements to ensure container security, and a more secure development lifecycle.

Perform Static and Dynamic Scans

Performing both static and dynamic scans of images and containers across the software development lifecycle can be useful in removing known vulnerabilities and overly permissive containers. Anyone who is running containerized workloads should be performing continuous scans and there are multiple solutions that exist today to help you achieve this requirement.

Manage Cluster Traffic Flows

Visibility is key when it comes to traffic flows within clusters. A stronger cloud security posture must be informed by what is talking to what and who is talking to whom when it comes to cluster traffic. This is where use of Network Policies has become a very effective tool in improving the security of workloads running in a cluster. The downside of Network Policies is the additional operational burden that comes with the writing and maintenance of policies. As requirements change due to compliance needs or business mandates, the ability to keep security policies up to date can be extremely challenging if done manually. Automation plays a key role in this capability and you should deploy a central source of truth for policy generation and management.

Leverage Admission Controllers

Admission controllers are essentially snippets of code that can perform deployment checks before persistence of any objects to the API server of a cluster, but only after authentication and authorization has been performed. This is important because not all requests that get submitted to a cluster should be allowed, and only requests that are authorized and authenticated should be allowed to make such requests. 

There are two types of Admission controllers, validating and mutating. Validating webhooks are limited to validation only, such as performing checks that certain labels are present. Mutating controllers have the ability to implement any changes, such as injection of a sidecar into an existing POD.    There are examples where both mutating and validating webhooks are used together for specific use cases.

The upstream Kubernetes community recently announced the deprecation of PodSecurityPolicies (PSP) methods for applying PSP to individual PODS during builds. Instead, the community is suggesting more policy driven, codified, flexible and scalable alternatives.   Many solutions are available today that leverage the use of admission controllers to create PSP relative services that can apply and manage PSP's within clusters. This POD security policy as code approach allows for PSP to manage at scale versus applying for every individual POD that is instantiated into a cluster.

Introduce Security Early in the CI/CD Pipeline

While there are various choices when it comes to CI/CD tools, it's critical to include an approach that guides your decisions as well. The concept of shifting left with security ensures that checks and policies are embedded much earlier in the development lifecycle. Some solutions will allow you to shift-left by natively integrating with DevOps. This can provide application network traffic risk analysis, letting you discover and fix security issues, resolve conflict between security and development, and accelerate the delivery of trusted, secure applications.

Ensure Compliance with CIS Benchmarks

While embracing the flexibility offered by Kubernetes, it is critical your IT remains secure and compliant throughout the development lifecycle. CIS benchmarks of your clusters should be a continual practice that checks for cluster config drift or recently added requirements. As environments become more complex and fragmented, ensuring you are compliant with industry and internal regulations will ensure secure container development and the maintenance of agile business. 

Thinking of Security in New Terms

In summary, the advent of containers, microservices and headless development is a significant step forward for most organizations who are looking to ease the challenges of traditional development and solve application conflicts between different environments. By embracing a technical and non-technical approach to security, enterprises can ensure their production environment has reaped the benefits of security that begin as the first lines of code are being written.


To learn more about cloud native technology innovation, join us at KubeCon + CloudNativeCon Europe 2021 - Virtual, which will take place from May 4-7.   


Ben Grissinger, Cloud-native Security Expert, Tufin

Over the past several years, Ben has designed and delivered automation solutions for everything containers as both a customer and vendor. Now at Tufin, Ben collaborates with the IT security industry's brightest minds and thought leaders to create a secure cloud and containerized environment at the speed and scale required for the fast-moving enterprises.

Published Wednesday, April 21, 2021 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2021>