Virtualization Technology News and Information
Closing the Gap in Container Security

By Alex Jones, Engineering Director for Kubernetes at Canonical

Take a look under the hood of some of the most cutting-edge cloud native projects, and you'll find Kubernetes. Nearly half of cloud native developers are using Kubernetes, according to recent Slash Data survey results, particularly those working in emerging areas like computer vision, blockchain applications, cryptocurrencies, and biometrics for ID verification.

The appeal of Kubernetes is clear: the ability to run highly-distributed applications across environments has helped spark the development of a modern, cloud-native ecosystem. This ecosystem, however, will only fully thrive once the gaps in container security are closed.

Security is one of the biggest concerns IT professionals have when it comes to container adoption, and for good reason. In another recent industry survey, 93% of respondents said they experienced at least one security incident in their Kubernetes environments in the last 12 months, sometimes leading to revenue or customer loss. Additionally, more than half said they've had to delay application deployments because of security concerns -- effectively canceling out any benefit of speed gained from containerization.

Fortunately, as Kubernetes adoption continues to grow, new industry standards and best practices are emerging, paving the way for more secure Kubernetes systems. New frameworks and updated tooling will help more heavily-regulated industries and other security-conscious organizations enter the container-driven era. The growth of Kubernetes makes it a more appealing target for bad actors, making the right approach to security all the more important.

Ultimately, the best way to secure Kubernetes systems is to look beyond containers -- with a holistic approach to security that spans all layers of the system. Kubernetes comprises several layers, where any vulnerability or misconfiguration opens up a new weakness for attackers to potentially exploit. From container registries to code repositories and host operating systems, every element of the stack needs to be considered.

As it stands, there are few built-in security mechanisms found in Kubernetes, placing the burden of securing containers on the user. There have been attempts to build security into cloud-based products, but that leaves practitioners with a narrow focus -- it is, after all, easier for hyperscalers to design security around user interactions -- and no consideration for one's own data centers.

To adopt a more holistic security framework, it's important to validate controls from the container workloads all the way down to the host OS. Recently developed frameworks for Kubernetes, such as new Center for Internet Security (CIS) benchmarks, make this possible. The CIS benchmarks hit on all components of a Kubernetes system. They comprise detailed recommendations for three categories: cluster-level security, for clusters built on-premise or in the cloud; node-level security guidance to secure nodes at the OS level; and workload-level security, offering hardening practices for containers, code and other applications on the data plane.

Practitioners may also have to consider the Federal Information Processing Standard (FIPS): a set of security standards developed by the National Institute of Standards and Technology (NIST) to ensure the security and integrity of sensitive data. FIPS compliance is a requirement for many organizations that handle sensitive information, including federal agencies, government contractors and financial institutions.

Canonical recently announced that MicroK8s, its lightweight Kubernetes distribution, now supports the FIPS security standard. The integration of FIPS support into MicroK8s is a major milestone for the project and for Kubernetes as a whole, enabling new sectors to make use of Kubernetes clusters while staying secure and compliant.

In addition to leveraging new frameworks, Kubernetes users can improve their overall security posture through proper supply chain management. With every new image in their clusters, practitioners should be confident of where it came from, its known vulnerabilities and whether it is up to date, among other things.

There are several new projects that are looking at the provenance of OCI (open container images) to ensure they are from trusted sources. For instance, tools like Chainguard's Wofi or OWASP CycloneDX offer, among other things, software bills of material (SBOM) for stronger supply chain integrity. When used in conjunction with full stack scanning and configuration management, these can provide an even smaller attack surface for bad actors.

Securing Kubernetes systems can seem like a daunting challenge, particularly when many organizations and IT professionals are still learning how to properly adopt and manage Kubernetes in production. But for the cloud-native ecosystem to reach its full potential, security can't be an afterthought.

Containerization and Kubernetes are already common within the enterprise, and there's no need for this momentum to slow. Many organizations, and entire industries, are still undergoing the drastic modernization efforts that began at the onset of the Covid-19 pandemic. These digitization efforts go hand in hand with the adoption of containers and Kubernetes. However, for many of these organizations, talk of adopting new technologies without the promise of a strong security posture is simply a non-starter.

Maintaining a secure Kubernetes system requires continuous effort and a comprehensive approach, but one that's well worth it.


To learn more about the transformative nature of cloud native applications and open source software, join us at KubeCon + CloudNativeCon Europe 2023, hosted by the Cloud Native Computing Foundation, which takes place from April 18-21.           



Alex Jones is Engineering Director for Kubernetes at Canonical. He  is a highly experienced technical leader. He has years of experience across a variety of industries and strives to deliver products that offer compelling solutions.

Published Monday, April 17, 2023 7:34 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2023>