Security for Kubernetes
With all the excitement around containers and Kubernetes, it can be easy to forget that these systems still require the same types of help that older virtual machine and hardware-based systems needed. Chief among that list of needs is security. We sat down at the recent KubeCon+CloudNativeCon in Copenhagen to discuss this very topic with Liz Rice, technology evangelist at Aqua Security, as well as with Justin Cappos, associate professor of computer science and engineering at the New York University’s Tandon School of Engineering. Cappos is one of the driving forces behind the TUF (The Update Framework) project.
Now managed by the Cloud Native Computing Foundation (CNCF), TUF is a software updating specification specifically designed to assume your infrastructure will be compromised at some point. Cappos said the framework is resilient to those compromises and will be able to restore keys and security after such a break-in. “TUF is a solution which has revocation as a first class, primary concern from the very beginning, which is very atypical for security systems,” said Cappos.
TUF is designed to allow administrators to track provenance and integrity for applications run inside a cloud environment, Rice said. TUF can provide origin confirmation of everything running in a network, confirming whether or not a binary has been changed by an outside hand. She added that other security projects at the CNCF, like SPIFFE, are doing similar things for services, ensuring integrity and trust for the entire platform.
Still, said Rice, Kubernetes security is an evolving landscape filled with gaps left between growing projects. “They’re quite disparate bits of the security puzzle. Security is a huge thing. We’ll probably see more projects and more security-related initiatives,” said Rice. That’s not to say the CNCF is waiting until projects are done to ensure security.
Cappos said the CNCF is already paying for security audits of TUF and Notary, and that SPIFFE and other projects will be soon to follow. Rice added that CoreDNS went through a similar security audit, where a cache poisoning bug was found and fixed. CoreDNS has become a part of the core Kubernetes platform as of the upcoming release of version 1.11.
In this Edition:
1:10: Tell us about the TUF Project.
3:58: How do other Kubernetes security projects fit together?
10:10: How do you manage security complexity in microservices deployments using Kubernetes?
13:37: What are the security concerns surrounding Kubernetes that will be apparent over the next six months?
15:05: What are some of the areas you can see open source projects emerging in?
17:00: The status of Grafeas at the moment.