ARMO: Misconfiguration Is Number 1 Kubernetes Security Risk
ARMO, the maker of an open source Kubernetes security platform, has released the results of a study that indicates that misconfiguration is the biggest issue when it comes to Kubernetes security.
ARMO conducted its internal study over eight months, scanning 10,000 clusters, and found that 100% of clusters scanned had at least one misconfiguration. They used Kubescape, the company’s Kubernetes security platform to scan the clusters.
Shauli Rozen, CEO and co-founder of ARMO, said finding misconfigurations in Kubernetes clusters is not surprising due to the complexity of running and managing it, as Kubernetes users battle with misconfiguration and vulnerabilities across the software development life cycle (SDLC). However. the Kubescape security platform provides a multi-cloud Kubernetes single pane of glass solution, he said. It provides risk analysis, security compliance, a role-based access control (RBAC) visualizer, and image vulnerabilities scanning.
Kubescape scans Kubernetes clusters, YAML files, Helm charts, worker nodes and API servers, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA, MITRE ATT&CK and more), software vulnerabilities, and RBAC violations across the SDLC calculates risk scores and shows risk trends over time.
Assessing the Findings
ARMO assessed its findings in four frameworks, including ArmoBest, MITRE ATT&CK, NSA-CISA Hardening guidance and DevOps Best Practices.
For each assessment, 100 represents the highest risk and 0 the lowest. A best practice is for organizations to keep their risk scores below a 30, with a score of 60-plus putting them in the worst 5%. A risk score below 10 puts an organization in the best 10%, said Jonathan Kaftzan, ARMO’s vice president of marketing and business development.
Top Five Security Misconfigurations
The scans found that in addition to 100% of clusters containing at least one misconfiguration, 65% had at least one high severity misconfiguration. And 50% of clusters had 14 or more failed security controls. The following is a list of the top 5 misconfigurations found during the Kubescape scans:
- Run privileged containers
Containers with access to run privileged might create unintended access to host information and should generally be configured to run as a non-root user.
- Cluster admin binding
Users with the cluster-admin role can perform any action on any resource, leaving a considerable vulnerability across the implementation.
- Missing Resource policies
63% of clusters had workloads without proper resource limitations. Resource policies may control access to security-sensitive aspects of a pod’s specification. Failing to configure resource policies properly can expose your system and lead to costly breaches.
- Immutable container filesystem
Cyber attackers that gain execution within a container can create files, download scripts, and modify applications. Leveraging an immutable container configuration can prevent damage but may also introduce complications in application function if not properly managed.
- Ingress and Egress blocked
Sixty-three percent of clusters had workloads outside the cluster without the proper ingress blocked. It’s critical to use ingress and egress filtering to protect network access points.
Follow Best Practices
“People are still running privileged containers and root containers when they don’t need to, sometimes you have to, but we see about 60% of workloads, which is way more than the needs to be running in privileged mode, or as the root user within the container, or both. That is, in my mind, the biggest best practice that we need to get out,” Rozen said.
Moreover, another issue ARMO has been witnessing is users not using resource limitations on workloads running in Kubernetes.
“I don’t think it’s critical, but it is very prevalent,” Rozen said. “So while Kubernetes gives you the ability to limit the memory usage, or the CPU usage of your workload, you know, very few people actually use those capabilities. And it’s actually not a critical thing in terms of security. But it is a very, very, very bad practice.”
Meanwhile, in all, the ARMO study showed that:
- 63% of clusters had workloads without proper resource limitations
- 37% of clusters had applications with credentials in configuration files
- 23% of clusters had applications running with dangerous Linux capabilities
- 35% of clusters had workloads running with insecure capabilities
- 100% of clusters had misconfigurations
Know the Posture of Your Cluster
“The most burning question for developers and for DevSecOps, in this environment is, first of all, to understand the posture of your cluster — what level of risk do I have in my cluster.” Rozen said.
So ARMO built Kubescape to scan the configuration of a cluster, as well as scan for vulnerabilities in a cluster, with role-based access and provisioning of clusters, and bring that all together to picture of what is in the cluster.
The company launched Kubescape in August 2021 and it has since scanned well more than 10,000 Kubernetes clusters. ARMO aggregated the data and did some analysis to highlight essential stats on the state of Kubernetes security, risk, and compliance.
Misconfiguration as a Root Cause
According to Gartner, through 2025, more than 99% of cloud breaches will have a root cause of customer misconfigurations or mistakes. This complements the findings from Gartner’s 2021 Hype Cycle for Cloud Security report which shows that 59% of security incidents with known causes occurred from a detected misconfiguration. When asked which risks concerned cloud leaders the most for their containers and K8s environments, most respondents identified misconfigurations as their number one concern, ARMO officials said.
“We started only with misconfigurations, then we moved to vulnerabilities and role-based access control, and we’re moving forward,” Rozen said.
However, the next thing on ARMO’s roadmap — based on user feedback — is bringing more CI/CD capabilities to the platform.
“So, we’re bringing some of those capabilities even more to the left in order to actually find the issues earlier,” Rozen said. “And then the second thing we hear is about adding an admission controller, basically enabling the enforcement of what we find in Kubernetes. When a new workload comes on, there are different admission controllers out there. And, because of the capabilities we’ve created, many of our users have been asking when and how we can introduce an admission controller to Kubernetes.”
Kubernetes admission controllers are plugins that govern and enforce how a cluster is used.
Meanwhile, one of the things ARMO added to Kubescape is the ability to not only find out what are the critical vulnerabilities but also filter them for those that can be exploited remotely, Rozen said. And another feature in the works is providing a way for users to prioritize the issues they find using the platform.
ARMO had a goal of earning developer love for its technology and getting there required a few different things.
“First of all, if you want to have developers use it, you need to go from left to right, you first solve the left side of the problem before you solve the right side of the problem,” Rozen said. “And by right side, I mean the runtime advanced capabilities.”
The second thing is to offer developers something that they can use and get value from in three to five minutes.
“I think that’s part of how we grew,” Rozen said. “Because a developer that gets on our GitHub, now, five minutes from now will have their first scan running on his cluster.
The third thing to gain developer love is to go open source.
“Because first of all, we wanted the community to give us feedback,” Rozen said. “The community is much more effective in giving you feedback and helping you build the product, and also actually commit development efforts. You know, some of our third-party extensions have been created by our community.”