Kubernetes security: 4 tips to manage risks

Kubernetes security: 4 tips to manage risks

As you bear down on Kubernetes security, use these strategies to avoid missteps in work with containers and orchestration

391 readers like this
Digital transformation security

3. Consider a commercial Kubernetes platform

When CVE-2018-1002105, a privilege escalation vulnerability, made headlines in late 2018, Red Hat OpenShift quickly released updates to address the issue, as did the underlying Kubernetes project. This speaks to the community’s fast, effective response, and to the benefits of relying on a commercial Kubernetes platform.

As  Mike Bursell, Red Hat's chief security architect, pointed out in Part One of this Kubernetes security article series: “This one of the benefits of deploying a product with both an active community and commercial support. The response to the problem was very swift, and the community is working to improve the security of the project as a whole.”

Among other upsides of a commercial solution for running Kubernetes, a good one will give you a head start on security best practices and update quickly when new vulnerabilities come to light.

“If you’re new to Kubernetes, be smart and either use experts or an enterprise-grade Kubernetes management platform,” Jerbi says.

4. Don't trust your same old tools and practices

Just as strong hybrid cloud security often requires some revisions to your existing playbook, a move to containers and orchestration commonly necessitates new tools and practices.

“Don’t assume that your traditional security tools provide adequate protection in Kubernetes environments – they don’t,” Jerbi says. The open source community offers some good options to put on your short list. “There are many open source tools, such kube-bench, which tests Kubernetes clusters against the 100+ checks of the CIS Kubernetes Benchmark, or kube-hunter, which runs penetration tests on clusters and nodes.” (Jerbi’s firm, Aqua Security, developed and released both open source tools.)

Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

Dan Hubbard, chief product officer at Lacework, notes that Kubernetes security requires a mix of the old (staying current and patched in your software, for example) and new – approaches and tools.

“The main thing is to keep updated with current versions and patches, but to support that, teams also need to demand a least-privilege approach internally along with an immutable infrastructure,” Hubbard advises. “It will also be critical to deploy a combination of commercial products, open source features with native Kubernetes features like pod security policies, and RBAC. They’ll also need to use tooling from their cloud service provider[s].”

CVE-2018-1002105 underscored the necessity for implementing best practices around privilege and access, principles that shouldn’t be new-age stuff for security pros but may require different thinking or steps for containers.

Chris Roberts, an adviser at Attivo Networks, concurs that role-based access control (RBAC) must be enabled for robust Kubernetes security, and adds that many elements of a strong security posture remain relevant in container environments: Good policies, procedures, and controls at the user, application, and network layer; separate and segmentation (including firewalls) where possible; rotating encryption keys; and strong education and integrations among different roles and teams.

Roberts also notes the strength of Linux’s native security controls: “Use them whenever possible,” he says.

Finally, Roberts points to a container-specific element of privilege: Root in containers.

“Containers don’t all have to be root,” Roberts says. “If they don’t need it, don’t give it.”

[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]


IT leadership in the next normal report

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Linda Kahangi
March 01, 2021

After the upheaval of 2020, are you cultivating employee loyalty? Baking security in from the start? CIOs leading digital transformation in 2021  face new risks and opportunities.

Submitted By Kevin Casey
March 01, 2021

What does edge computing do for your hybrid cloud strategy, and what does edge server architecture look like in action? Let's look at the latency, consistency, security, and cost issues with experts - as well as some edge use cases

Submitted By Carla Rudder
March 01, 2021

Each month, through our partnership with Harvard Business Review, we refresh our business library for CIOs with five new HBR articles we believe CIOs and IT leaders will value highly.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.