Remote work brings new challenges to the hiring process. These interview questions can help you gain insight into a candidate’s communication skills, initiative, and more
Kubernetes security: New tech, familiar attack vectors
With Kubernetes, some old threat vectors may feel new again. Kubernetes security experts say misconfigured settings and privilege mistakes are examples that can open up risk. Mind these six items
4. Harden and protect specific Kubernetes features
Similarly, it’s also important to take steps to harden and protect specific Kubernetes features. Gary Duan, CTO at NeuVector, points to components such as kubelet and the Kubernetes API server as examples of services that left unprotected (as a result of misconfiguration or otherwise) become attack vectors.
Leaving sensitive ports exposed creates unnecessary risks, for example. CNCF recommends configuring your network to block access to 10250 and 10255, which kubelet uses, as a best practice; CNCF also recommends restricting access to the Kubernetes API server to only trusted networks.
5. Consider calling on a Kubernetes Operator
Another interesting area of recent investment that has a role to play in securing Kubernetes is Kubernetes operators, says Red Hat’s Newcomer. “They provide a way to extend the Kubernetes API to address application-specific pre- and/or post-provisioning needs in a kube-native and automated way,” she says.
“The really cool thing is that you can use Kubernetes operators to manage Kubernetes itself — making it easier to deliver and automate secured deployments,” Newcomer says. “For example, operators can manage drift, using the declarative nature of Kubernetes to reset and unsupported configuration changes.”
[ Get the free eBook: O’Reilly: Kubernetes Operators: Automating the Container Orchestration Platform. ]
6. Consider a layered approach to container security
The general nature of containers and orchestration brings some new considerations that should also be factored into your security program.
“Container environments are multi-tenant by design, and sharing resources among tenants increases exposure of all tenants when even one of them is compromised,” says Yankovskiy from Zettaset. In other words, one weak link could become a bigger problem: “One compromised container can compromise the entire environment and all its tenants. Furthermore, deploying container infrastructure requires following specific steps and processes to make sure that the environment itself is secure.”
Red Hat’s Newcomer has long advised a layered approach to container security. She discusses the 10 common layers of a container deployment – and how to bake security into each – in this podcast. You can also download the related whitepaper, “10 Layers of Container Security.”
[ Want to learn more? Watch the on-demand webinar: Kubernetes 101: An introduction to containers, Kubernetes, and OpenShift. Get the eBook: Getting Started with Kubernetes. ]