Kubernetes security: New tech, familiar attack vectors

Kubernetes security: New tech, familiar attack vectors

With Kubernetes, some old threat vectors may feel new again. Kubernetes security experts say misconfigured settings and privilege mistakes are examples that can open up risk. Mind these six items

up
67 readers like this
Kubernetes

4. Harden and protect specific Kubernetes features

Similarly, it’s also important to take steps to harden and protect specific Kubernetes features. Gary Duan, CTO at NeuVector, points to components such as kubelet and the Kubernetes API server as examples of services that left unprotected (as a result of misconfiguration or otherwise) become attack vectors.

Leaving sensitive ports exposed creates unnecessary risks, for example. CNCF recommends configuring your network to block access to 10250 and 10255, which kubelet uses, as a best practice; CNCF also recommends restricting access to the Kubernetes API server to only trusted networks.

Duan from NeuVector also recommends using the CIS Benchmark for Kubernetes to check your environment against industry best practices. (The open source tool Kube-Bench is one option for doing so.)

5. Consider calling on a Kubernetes Operator

Another interesting area of recent investment that has a role to play in securing Kubernetes is Kubernetes operators, says Red Hat’s Newcomer. “They provide a way to extend the Kubernetes API to address application-specific pre- and/or post-provisioning needs in a kube-native and automated way,” she says.

“The really cool thing is that you can use Kubernetes operators to manage Kubernetes itself — making it easier to deliver and automate secured deployments,” Newcomer says. “For example, operators can manage drift, using the declarative nature of Kubernetes to reset and unsupported configuration changes.”

[ Get the free eBook: O’Reilly: Kubernetes Operators: Automating the Container Orchestration Platform. ]

6. Consider a layered approach to container security

The general nature of containers and orchestration brings some new considerations that should also be factored into your security program.

“Container environments are multi-tenant by design, and sharing resources among tenants increases exposure of all tenants when even one of them is compromised,” says Yankovskiy from Zettaset. In other words, one weak link could become a bigger problem: “One compromised container can compromise the entire environment and all its tenants. Furthermore, deploying container infrastructure requires following specific steps and processes to make sure that the environment itself is secure.”

Red Hat’s Newcomer has long advised a layered approach to container security. She discusses the 10 common layers of a container deployment – and how to bake security into each – in this podcast. You can also download the related whitepaper, “10 Layers of Container Security.” 

[ Want to learn more? Watch the on-demand webinar: Kubernetes 101: An introduction to containers, Kubernetes, and OpenShift. Get the eBook: Getting Started with Kubernetes. ]

Pages

7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Koren Townsend
September 29, 2020

We all develop trust in people differently. Are you taking enough action as a leader to build trust with your team?

Submitted By Matt Kunkel
September 29, 2020

The COVID -19 pandemic has been a painful lesson for businesses without a strong business continuity plan. Consider these tips to ensure that your plan is up to date

Submitted By Donna Tuths
September 28, 2020

In response to the COVID-19 pandemic, CIOs and other C-suite leaders must transform how they think about “experience” – for both customers and employees – or risk losing them.

x

Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.