Where do you use containers? Organizations started using containers in development and test environments. Over the past couple of years, confidence has grown and we are seeing significant container growth in production environments. Organizations are adopting containers across the software development lifecycle.
Of course, this begs the question - how secure are your containers?
Kubernetes is one solution to deploying, managing, and scaling your containers. Karthik Gaekwad (@iteration1), a developer and cloud native evangelist at Oracle , lays out tips and tools to ensure Kubernetes containers are as secure as possible in his All Day DevOps presentation, KubeSecOps.
While organizations are increasingly adopting containers, core issues still remain. According to a Cloud Native Computing Foundation (CNCF) survey, complexity, culture, training, and security are all challenges for organizations around containers. An Oracle survey shows that managing, maintaining, and updating the Kubernetes Control Panel and Data Plane, figuring out container network and storage, managing teams, and security continue to challenge organizations.
As examples, Karthik mentions a vulnerability stemming from unsecured K8s dashboards, resulting in the ability of attackers to use the cloud environments to mine cryptocurrency. Aviva, Weight Watchers, and Tesla were among those impacted. He highlights another one, affecting Shopify, where attackers gained access to any container in the infrastructure.
Many complain that Kubernetes is too complicated. Karthik agrees, and realizes it can affect how users adopt sound practices. So, he lays out some tips to make administering Kubernetes easier and make the system more secure. He covers attack surfaces, security related features in K8s, and open source tools to help.
Look at the host, the containers, and the Kubernetes cluster to reduce the attack surface.
For the machines you are running Kubernetes on, the goal is to minimize privileges to applications running on the host. For container images, know your base image when building containers. The smaller the better, don’t rely on the :latest tag, and check for vulnerabilities periodically. For your running containers, don’t run as root and limit host mounts. Finally, for your Kubernetes cluster, TLS all things and review audit logs, network policies, pod security policies, and secrets.
Karthik also mentions several open source tools to help you. First, he recommends keeping tabs on the CNCF security landscape (CNCF manages the Kubernetes project). He also covers some other tools:
For additional resources, he also recommends the post 11 Ways Not to Get Hacked on Kubernetes and a presentation on security by Michael Hausenblas.
Do you want to hear more of his recommendations and tips? Karthik’s full presentation is here.
Interested in DevOps? Register for the next All DayDevOps, November 6, 2019. It will be a day to discuss security, CI/CD, cloud native infrastructure, cultural transformation, site reliability engineering, and yes, Kubernetes.