Kubernetes security: New tech, familiar attack vectors

Kubernetes security: New tech, familiar attack vectors

With Kubernetes, some old threat vectors may feel new again. Kubernetes security experts say misconfigured settings and privilege mistakes are examples that can open up risk. Mind these six items

185 readers like this

4. Harden and protect specific Kubernetes features

Similarly, it’s also important to take steps to harden and protect specific Kubernetes features. Gary Duan, CTO at NeuVector, points to components such as kubelet and the Kubernetes API server as examples of services that left unprotected (as a result of misconfiguration or otherwise) become attack vectors.

Leaving sensitive ports exposed creates unnecessary risks, for example. CNCF recommends configuring your network to block access to 10250 and 10255, which kubelet uses, as a best practice; CNCF also recommends restricting access to the Kubernetes API server to only trusted networks.

Duan from NeuVector also recommends using the CIS Benchmark for Kubernetes to check your environment against industry best practices. (The open source tool Kube-Bench is one option for doing so.)

5. Consider calling on a Kubernetes Operator

Another interesting area of recent investment that has a role to play in securing Kubernetes is Kubernetes operators, says Red Hat’s Newcomer. “They provide a way to extend the Kubernetes API to address application-specific pre- and/or post-provisioning needs in a kube-native and automated way,” she says.

“The really cool thing is that you can use Kubernetes operators to manage Kubernetes itself — making it easier to deliver and automate secured deployments,” Newcomer says. “For example, operators can manage drift, using the declarative nature of Kubernetes to reset and unsupported configuration changes.”

[ Get the free eBook: O’Reilly: Kubernetes Operators: Automating the Container Orchestration Platform. ]

6. Consider a layered approach to container security

The general nature of containers and orchestration brings some new considerations that should also be factored into your security program.

“Container environments are multi-tenant by design, and sharing resources among tenants increases exposure of all tenants when even one of them is compromised,” says Yankovskiy from Zettaset. In other words, one weak link could become a bigger problem: “One compromised container can compromise the entire environment and all its tenants. Furthermore, deploying container infrastructure requires following specific steps and processes to make sure that the environment itself is secure.”

Red Hat’s Newcomer has long advised a layered approach to container security. She discusses the 10 common layers of a container deployment – and how to bake security into each – in this podcast. You can also download the related whitepaper, “10 Layers of Container Security.” 

[ Want to learn more? Watch the on-demand webinar: Kubernetes 101: An introduction to containers, Kubernetes, and OpenShift. Get the eBook: Getting Started with Kubernetes. ]


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Sachin Gupta
January 22, 2021

Remote work brings new challenges to the hiring process. These interview questions can help you gain insight into a candidate’s communication skills, initiative, and more

Submitted By Yoav Kutner
January 22, 2021

Think you know how to motivate your team? You might be surprised. Consider this advice on what inspires people to work hard.

Submitted By Lee Congdon
January 21, 2021

By establishing flexibility, cost-effectiveness, business partnerships, and a culture of ownership and accountability, we successfully dealt with great change.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.