What do successful Kubernetes migration projects have in common? A clear strategy, a strong culture, and the proper resources to execute the plan. Check out this expert advice
Kubernetes security: 4 tips to manage risks
As you bear down on Kubernetes security, use these strategies to avoid missteps in work with containers and orchestration
3. Consider a commercial Kubernetes platform
When CVE-2018-1002105, a privilege escalation vulnerability, made headlines in late 2018, Red Hat OpenShift quickly released updates to address the issue, as did the underlying Kubernetes project. This speaks to the community’s fast, effective response, and to the benefits of relying on a commercial Kubernetes platform.
As Mike Bursell, Red Hat's chief security architect, pointed out in Part One of this Kubernetes security article series: “This one of the benefits of deploying a product with both an active community and commercial support. The response to the problem was very swift, and the community is working to improve the security of the project as a whole.”
Among other upsides of a commercial solution for running Kubernetes, a good one will give you a head start on security best practices and update quickly when new vulnerabilities come to light.
“If you’re new to Kubernetes, be smart and either use experts or an enterprise-grade Kubernetes management platform,” Jerbi says.
4. Don't trust your same old tools and practices
Just as strong hybrid cloud security often requires some revisions to your existing playbook, a move to containers and orchestration commonly necessitates new tools and practices.
“Don’t assume that your traditional security tools provide adequate protection in Kubernetes environments – they don’t,” Jerbi says. The open source community offers some good options to put on your short list. “There are many open source tools, such kube-bench, which tests Kubernetes clusters against the 100+ checks of the CIS Kubernetes Benchmark, or kube-hunter, which runs penetration tests on clusters and nodes.” (Jerbi’s firm, Aqua Security, developed and released both open source tools.)
Dan Hubbard, chief product officer at Lacework, notes that Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.
“The main thing is to keep updated with current versions and patches, but to support that, teams also need to demand a least-privilege approach internally along with an immutable infrastructure,” Hubbard advises. “It will also be critical to deploy a combination of commercial products, open source features with native Kubernetes features like pod security policies, and RBAC. They’ll also need to use tooling from their cloud service provider[s].”
CVE-2018-1002105 underscored the necessity for implementing best practices around privilege and access, principles that shouldn’t be new-age stuff for security pros but may require different thinking or steps for containers.
Chris Roberts, an adviser at Attivo Networks, concurs that role-based access control (RBAC) must be enabled for robust Kubernetes security, and adds that many elements of a strong security posture remain relevant in container environments: Good policies, procedures, and controls at the user, application, and network layer; separate and segmentation (including firewalls) where possible; rotating encryption keys; and strong education and integrations among different roles and teams.
Roberts also notes the strength of Linux’s native security controls: “Use them whenever possible,” he says.
Finally, Roberts points to a container-specific element of privilege: Root in containers.
“Containers don’t all have to be root,” Roberts says. “If they don’t need it, don’t give it.”
[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]