Kubernetes security: 4 tips to manage risks

Kubernetes security: 4 tips to manage risks

As you bear down on Kubernetes security, use these strategies to avoid missteps in work with containers and orchestration

up
48 readers like this

on

January 16, 2019
Shadow IT CIO

3. Consider a commercial Kubernetes platform

When CVE-2018-1002105, a privilege escalation vulnerability, made headlines in late 2018, Red Hat OpenShift quickly released updates to address the issue, as did the underlying Kubernetes project. This speaks to the community’s fast, effective response, and to the benefits of relying on a commercial Kubernetes platform.

As  Mike Bursell, Red Hat's chief security architect, pointed out in Part One of this Kubernetes security article series: “This one of the benefits of deploying a product with both an active community and commercial support. The response to the problem was very swift, and the community is working to improve the security of the project as a whole.”

Among other upsides of a commercial solution for running Kubernetes, a good one will give you a head start on security best practices and update quickly when new vulnerabilities come to light.

“If you’re new to Kubernetes, be smart and either use experts or an enterprise-grade Kubernetes management platform,” Jerbi says.

4. Don't trust your same old tools and practices

Just as strong hybrid cloud security often requires some revisions to your existing playbook, a move to containers and orchestration commonly necessitates new tools and practices.

“Don’t assume that your traditional security tools provide adequate protection in Kubernetes environments – they don’t,” Jerbi says. The open source community offers some good options to put on your short list. “There are many open source tools, such kube-bench, which tests Kubernetes clusters against the 100+ checks of the CIS Kubernetes Benchmark, or kube-hunter, which runs penetration tests on clusters and nodes.” (Jerbi’s firm, Aqua Security, developed and released both open source tools.)

Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

Dan Hubbard, chief product officer at Lacework, notes that Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

“The main thing is to keep updated with current versions and patches, but to support that, teams also need to demand a least-privilege approach internally along with an immutable infrastructure,” Hubbard advises. “It will also be critical to deploy a combination of commercial products, open source features with native Kubernetes features like pod security policies, and RBAC. They’ll also need to use tooling from their cloud service provider[s].”

CVE-2018-1002105 underscored the necessity for implementing best practices around privilege and access, principles that shouldn’t be new-age stuff for security pros but may require different thinking or steps for containers.

Chris Roberts, an adviser at Attivo Networks, concurs that role-based access control (RBAC) must be enabled for robust Kubernetes security, and adds that many elements of a strong security posture remain relevant in container environments: Good policies, procedures, and controls at the user, application, and network layer; separate and segmentation (including firewalls) where possible; rotating encryption keys; and strong education and integrations among different roles and teams.

Roberts also notes the strength of Linux’s native security controls: “Use them whenever possible,” he says.

Finally, Roberts points to a container-specific element of privilege: Root in containers.

“Containers don’t all have to be root,” Roberts says. “If they don’t need it, don’t give it.”

[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]

Pages

7 New CIO Rules of Road

Harvard Business Review: IT Talent Crisis: Proven Advice from CIOs and HR Leaders

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Carla Rudder
April 19, 2019

Bracing for a future that involves AI and ever-increasing data sets, CIOs face great cultural challenges.

Submitted By Enterprisers Project
April 19, 2019

Putting debates around the term DevOps engineer aside, let’s explore data points on salaries for this hot job title.

Submitted By Stephanie Overby
April 18, 2019

What’s hot in DevOps job titles, skills, and organizational strategies? Take note, job seekers and hiring managers.

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.