Kubernetes security: 4 tips to manage risks

Kubernetes security: 4 tips to manage risks

As you bear down on Kubernetes security, use these strategies to avoid missteps in work with containers and orchestration

up
101 readers like this

on

January 16, 2019
Shadow IT CIO

3. Consider a commercial Kubernetes platform

When CVE-2018-1002105, a privilege escalation vulnerability, made headlines in late 2018, Red Hat OpenShift quickly released updates to address the issue, as did the underlying Kubernetes project. This speaks to the community’s fast, effective response, and to the benefits of relying on a commercial Kubernetes platform.

As  Mike Bursell, Red Hat's chief security architect, pointed out in Part One of this Kubernetes security article series: “This one of the benefits of deploying a product with both an active community and commercial support. The response to the problem was very swift, and the community is working to improve the security of the project as a whole.”

Among other upsides of a commercial solution for running Kubernetes, a good one will give you a head start on security best practices and update quickly when new vulnerabilities come to light.

“If you’re new to Kubernetes, be smart and either use experts or an enterprise-grade Kubernetes management platform,” Jerbi says.

4. Don't trust your same old tools and practices

Just as strong hybrid cloud security often requires some revisions to your existing playbook, a move to containers and orchestration commonly necessitates new tools and practices.

“Don’t assume that your traditional security tools provide adequate protection in Kubernetes environments – they don’t,” Jerbi says. The open source community offers some good options to put on your short list. “There are many open source tools, such kube-bench, which tests Kubernetes clusters against the 100+ checks of the CIS Kubernetes Benchmark, or kube-hunter, which runs penetration tests on clusters and nodes.” (Jerbi’s firm, Aqua Security, developed and released both open source tools.)

Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

Dan Hubbard, chief product officer at Lacework, notes that Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

“The main thing is to keep updated with current versions and patches, but to support that, teams also need to demand a least-privilege approach internally along with an immutable infrastructure,” Hubbard advises. “It will also be critical to deploy a combination of commercial products, open source features with native Kubernetes features like pod security policies, and RBAC. They’ll also need to use tooling from their cloud service provider[s].”

CVE-2018-1002105 underscored the necessity for implementing best practices around privilege and access, principles that shouldn’t be new-age stuff for security pros but may require different thinking or steps for containers.

Chris Roberts, an adviser at Attivo Networks, concurs that role-based access control (RBAC) must be enabled for robust Kubernetes security, and adds that many elements of a strong security posture remain relevant in container environments: Good policies, procedures, and controls at the user, application, and network layer; separate and segmentation (including firewalls) where possible; rotating encryption keys; and strong education and integrations among different roles and teams.

Roberts also notes the strength of Linux’s native security controls: “Use them whenever possible,” he says.

Finally, Roberts points to a container-specific element of privilege: Root in containers.

“Containers don’t all have to be root,” Roberts says. “If they don’t need it, don’t give it.”

[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]

Pages

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Anil Somani
August 23, 2019

Sweeping transformations aren't the only area where organizations need change agents. Here's how to find and nurture people who are eager to make incremental changes every day. 

Submitted By Michael Crones
August 22, 2019

If IT has become disconnected from the business, it may be time to rethink your org chart. Draper's CIO shares how his team forged a tighter business relationship using a new IT role.

Submitted By Jason Lasseigne
August 22, 2019

Balancing high starting salaries for new graduates with those of IT veterans may feel challenging – but it doesn’t have to be. Are you truly taking care of your stars?

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.