Kubernetes security: 4 strategic tips

Kubernetes security: 4 strategic tips

Kubernetes security experts share the tips that will help you avoid trouble – and maybe even build support for security across your organization

up
42 readers like this

on

May 20, 2019
Shadow IT CIO

As with all things security-related, “fingers crossed!” isn’t exactly a confident posture. Kubernetes offers a lot of powerful security-oriented features, and the community has shown a strong commitment toward the security of the project. But it’s always best to be proactive, especially if you or your teams are still relatively new to containers and orchestration.

The fundamentals of security hygiene still largely apply, as we noted in our recent article, Kubernetes security: 5 mistakes to avoid. There’s also some new learning to be done to ensure you’re proactively managing the risks inherent in any new system, especially once it’s running in production.

[ Want to help others understand Kubernetes? Check out our related articles, How to explain Kubernetes in plain English and How to explain Kubernetes Operators in plain English. ]

Earlier this year, we shared four important tips for managing the security of your Kubernetes environment. We went back to the experts to ask for more, and they obliged. So let’s expand our strategies with four more tips for proactively managing the security of your Kubernetes implementation.

1. Know what you don’t know

When we dug into some of the common mistakes teams make in the early phases of their Kubernetes deployments, one big one came up repeatedly: People plow into production – often under unrealistic deadline pressure from above – without really testing or understanding the security implications.

“To improve Kubernetes security, seek out expertise,” says Matt Wilson, chief information security advisor at BTB Security. “Plenty of great information is already available from the usual sources, such as CIS Benchmarks, and also directly from Kubernetes. Download them, read them, apply what you can. Then, before you put production applications or data up there, conduct some security testing to validate you’ve done enough.”

We’ll throw a couple of other items for your Kubernetes syllabus:

In terms of knowing what you don’t know – a healthy starting point for any learning curve – the CIS Benchmark for Kubernetesis a good starting point. The open source tool kube-bench, developed by Aqua Security, will check your deployment against the 100+ checks in the CIS Benchmark for Kubernetes.

2. Optimize native Kubernetes controls

Another one of the initial mistakes some teams make is to assume that just because Kubernetes has powerful security controls, those features are optimized out of the gate. They’re not. So ensure you’re adequately tuning those features for your particular organization and its risks.

“Upgrade to the latest version of Kubernetes as frequently as possible [or] practical, [and] enable native controls and learn the optimum settings to make them as powerful and effective as possible,” says Wei Lien Dang, VP of product at StackRox.

Ensuring your software current is an ageless best practice. As for optimizing native features, Dang offers a few examples:

  • Configure network policies to segment deployments and restrict allowed ingress and egress traffic.
  • Create separate namespaces across deployments for isolation.
  • Avoid granting cluster-wide permissions and enable certain powerful permissions only for trusted users to avoid issues, such as a recently disclosed DoS vulnerability.

Some organizations may want to consider augmenting native controls with standalone security tools, particularly if they have a compliance requirement such as PCI. Commercial platforms can also be helpful in this regard.

Pages

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Ginny Hamilton
September 16, 2019

As we celebrate the sixth anniversary of The Enterprisers Project, we're updating our tagline to reflect our mission.

Submitted By Laurianne McLaughlin
September 16, 2019

What does a CIO do in 2019? How has the CIO skill set changed? What’s coming next as the CIO role evolves? Everything you need to know about CIOs - including advice for aspiring CIOs from people who’ve made the leap.

Submitted By Carla Rudder
September 16, 2019

Are you moving farther down the path with DevOps and tripping on the lingo? Experts explain key DevOps terms and phrases that teams should understand.

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.