Based on the Cloud Native Computing Foundation (CNCF) Open Policy Agent (OPA), the Terrascan open source static code analyzer was designed to scan for vulnerabilities and security compliance issues across Infrastructure as code (IaC) deployments during the development cycle.
What was still missing, however, was an admission control to extend scans through a single source for IaC across Kubernetes clusters in runtime. To that end, cloud native security provider Accurics has released an admission controller to do exactly this, for Kubernetes clusters, as well as for code layers managed with Helm and Kustomize.
Before the release of the Terrascan admission controller, DevOps teams could use Terrascan and other IaC security scanners to discover vulnerabilities in development and during the build process, but they had to deploy different admission controllers for their Kubernetes clusters separately, Amir Benvenisti, head of open source, Accurics, told The New Stack. These tools would have to be configured separately, and would likely use different security policies, he said.
Since the release of Terrascan’s admission controller, DevOps teams “are empowered to use the same tool and configurations to enforce security controls, from development to runtime,” Benvenisti said. Teams can also use Terrascan’s set of Kubernetes policies, or create their own, before using Terrascan to scan IaC as it is being developed, “quickly remediating vulnerabilities.”
Using a single admission controller to scan IaC code across the development pipeline and once deployed in runtime environments thus removes an operations burden, of course, Benvenisti said. Additionally, no scan is 100% foolproof as vulnerabilities can surface or compliance policies change once code is deployed. Insecure images can also be inadvertently introduced in runtime environments, while attackers will seek to inject code to comprise infrastructure and networks.
Terrascan admission controllers can thus enforce policies to runtime cluster environments to ensure “no misconfigured resources are admitted, by accident or malice, by using Terrascan as an admission controller,” Benvenisti said.
The release of the Terrascan admission controller was also in response to the Kubernetes Auth Special Interest Group’s decision to deprecate its PodSecurityPolicy. This has created the potential for Kubernetes clusters to become vulnerable to attacks through common misconfigurations or excessive permissions, Accurics noted. While
PodSecurityPolicy is an integrated admission controller and had several defects, policy as code enforcement at the cluster still continued to “play a vital role in ensuring the cluster is secure,” Benvenisti said. “PodSecurityPolicy’s deprecation is only an acknowledgment that a different approach is needed to enforce security policies at the cluster level. While a replacement for PSP is coming from the Kubernetes community, that will likely provide a minimal ‘secure by default’ configuration,” Benvenisti said. “PodSecurityPolicy We see Terrascan’s admission controller as yet another, different approach. We believe many teams will find that it is a simpler way to enforce robust security controls, especially since it comes packed with our large and growing set of policies.”
The use of the Terrascan admission controller for IaC security scanning to now extend from production pipelines to runtime environments also represents a potential advancement for immutable infrastructure. As Mike Liedike, manager, Deloitte Consulting’s innovations and platforms team, described in a recent edition of The New Stack Makers podcast, immutable infrastructure helps to create a more consistent environment, “across your entire fleet of systems, which gives you a simpler and more predictable deployment,” Liedike said.
For security, a tool such as Terrascan admission controller thus helps to lend more consistency to deployments, and thus, rendering infrastructure more “immutable.”
“Immutable infrastructure allows you to do the testing more consistently and promote your environments from development to test to prod,” Liedike said.
Accurics and Cloud Native Computing Foundation (CNCF) are sponsors of The New Stack.
Feature image by Omar González from Pixabay.