Real Data for a Proper Kubernetes Security Review
The Cloud Native Computing Foundation (CNCF) sponsored this post.
Container security has always been a concern — especially now in the wake of recent highly publicized vulnerabilities and breaches. But while containers benefit from running in isolated environments and can have other advantages compared to traditional application structures, the peculiarities of Kubernetes as an orchestration platform represents additional security concerns. As Kubernetes continues on its rapid path of adoption, the need for a reliable framework for vulnerability detection and management becomes that much more important.
The lack of a definitive audit of the state of Kubernetes security set the stage for publication of the Kubernetes Security Audit Working Group. On hand to discuss the audit during KubeCon + CloudNativeCon were Jay Beale, chief technology officer of InGuardians, and Aaron Small, a product manager for Google, who are also both co-leads of the Kubernetes third-party assessment project. They discussed this and how Kubernetes, compared to Docker containers, represents a new, and ultimately, risky world of dependencies during a live recording in San Diego for this edition of The New Stack Makers podcast.
Indeed, security is top of mind for organizations adopting containerization and Kubernetes. Organizations’ DevOps are coming “from a more traditional security mindset, which often includes things like third-party security assessment, like part of a package they get, so that helps us demonstrate to people who are coming to containerization that we have that same level of maturity,” Small said.
Vulnerabilities are, of course, ongoing and relentless, but detecting and fixing them are also part of everyday DevOps security-maintenance tasks. An effective third-party assessment is thus helpful — and practical. “In my day job and in your day job we keep seeing vulnerabilities and we keep seeing real attacks against Kubernetes, and we fix them, and at Google, we look for them, and I’m sure you find them — everyone’s doing it in their own enclave,” Small said. “We thought it was important to just move it from the ground up, like let’s actually invest in it and put some time, energy and money into it. See if we can fix all these before I don’t have to put them on my security bulletins page.”
Upon the release of the report in 2019, Beale said “all of our deliverables resulted in something like 240 printed pages in the report, “And they’re actually all good ones — there’s nothing that’s just feels like fluff.”
Getting more organizations on board to become interested in Kubernetes as well as in the Security Audit Working Group involves a two-pronged approach, Small said. “We looked at two potential directions: which is do we go to the Kubernetes community, and say, ‘hey, Kubernetes security is really interesting and it is really exciting to work on it’ or do we go to the security community and say ‘hey, Kubernetes is really interesting and is really exciting to work on,'” Small said. “I’m going to do both. So, I expand both circles, and I’m excited to get more and more people involved.”
Security auditing will, of course, continue to be an ongoing part of the Kubernetes and the cloud native narrative, Beale said. “I’ve been a Linux guy for a really, really, really long time and, in a lot of ways, with the rise of containerization, the rise of Kubernetes and the rise of the whole SecOps” there has been a total change in the development model, Beale said. “And honestly, I’ve got to say on the infosec side, nobody’s quite used to it yet and we’re all just coming around,” Beale said. “And there are only a few of us who have really started getting interested and everybody else is like ‘I’m going to start looking at this soon.’ But it’s been really fun to be toward the beginning of the security story of Kubernetes.”