Kyverno Defends Containers Against Security Configuration Errors
Securing containers poses a particular challenge for enterprises deploying resources in cloud environments. Not only are they designed to be spun up fast and to scale quickly but the technology is still relatively new and developers might not be aware of all the potential settings and nuances of container security.
“Kubernetes gives a lot of flexibility in the way that workloads are deployed,” said Ritesh Patel, vice president of products at Nirmata, which offers Kubernetes management and deployment tools.
“And that leads to issues and vulnerabilities,” he added. “Every few weeks, we see some configuration-related vulnerability announced or exposed.”
“Developers may not know 80% of what needs to be configured, nor should they,” said Jim Bugwadia, founder and CEO at Nirmata. “They should worry about their workloads, their applications.”
There are some tools that enterprises can use to help configure containers, one of which is Nirmata’s own open-source Kyverno policy engine.
“Kyverno can address the problem in a very efficient manner,” said Patel. “People can write policies to prevent certain configurations, for example. The other interesting thing about Kyverno is that it enables automation. It can not only block bad configurations but generate new configurations.”
This enables workflows that the industry couldn’t even imagine when Nirmata open-sourced Kyverno two years ago, he said.
The Particular Challenge of Unsecured Containers
Security configuration errors are a huge problem for companies, and it’s getting bigger.
According to the 2020 Verizon data breach investigations report, the industry bible, misconfigurations were the fastest-growing source of data breaches, moving from eighth to fourth place since the previous year.
A study by IBM and Ponemon found that misconfigured cloud servers tied as the most frequent initial threat vector, alongside stolen or compromised credentials. Breaches due to cloud misconfigurations resulted in the average cost of a breach increasing by more than half a million dollars to $4.41 million.
Companies accidentally set access controls to cloud-based resources so that anyone can access them. Attackers can steal data or hijack sources to, say, run cryptomining software.
According to DivvyCloud’s 2020 cloud misconfiguration report, configuration errors cost enterprises nearly $5 trillion over the previous two years.
And that’s just for the reported errors. According to McAfee, 99% of all IaaS issues go unreported.
Source: SANS 2021 Cloud Security Survey.
Kyverno to the Rescue
As part of the Cloud Native Computing Foundation, Kyverno saw 3.55 million downloads in less than five months, an unprecedented level of adoption.
The way it works is that the Kyverno controller sits inside its own container inside a cluster, and looks at the requests being made to the Kubernetes API servers.
“The operations team can define the policies that need to be enforced,” said Bugwadia. “Now, as part of the admission control systems in Kubernetes, Kyverno can inspect every API request and if it doesn’t match the policies, it can flag that.”
As companies start to deploy Kyverno at scale, however, another challenge comes up. While Kyverno is managing the Kubernetes configurations, who’s managing the Kyverno?
“Our customers end up installing Kyverno on every cluster they bring up,” said Patel. “They have to figure out how to install Kyverno automatically whenever a new cluster comes up. They have to build some tooling around it.”
This is the level of management and automation Nirmata offers in its Kubernetes Policy Manager for Kyverno, released this week, during KubeCon+CloudNativeCon 2021.
In addition, many enterprises store their security and configuration policies in central repositories.
“These need to be propagated to the clusters so that Kyverno can start enforcing those policies,” said Patel. “Nirmata can enable this policy as code approach by integrating with the Git repositories, and defining which policies get applied to which customers. Some policies might be for your production clusters, for example, while other policies are for the testing and development clusters.”
Then Nirmata collects all the alerts and violation reports from the individual clusters and grades the server workloads, so that application owners can then fix the violations.
In audit mode, the violations are simply reported. “You can also configure it to block certain configurations,” said Patel.
Nirmata can also apply earlier in the software development pipeline.
“You can run the checks early, before the configurations get pushed out,” said Bugwadia. “Nirmata becomes a seamless part of the development process. And it gamifies the whole thing by giving it a grade, while helping teams ensure that their workloads are compliant.”
Nirmata’s Kubernetes Policy Manager is currently available for early access to select customers. General availability is expected in the second quarter of this year.