3 Steps to Protect Kubernetes in 2021
June 10, 2021

Brian Johnson
Rapid7

The move to the cloud has steadily grown over the last decade, with more and more cloud-based applications released on a nearly daily basis. This growth is expected to accelerate even more in 2021, with a recent survey finding more than 40 percent of North America enterprise leaders want to significantly increase cloud spending this year. The pandemic has instigated a sense of urgency from leadership to ensure cloud applications are protected and as a result, security teams have had the considerable task of protecting these rapid deployments under extreme time constraints. Cloud computing and cloud native applications have become the foundation of digital business and security leaders must have the skills to protect them.

At the heart of these cloud-native applications is Kubernetes — one recent report found 85 percent of IT leaders agree that it is key to cloud-native application strategies. Kubernetes is a fast-moving and often complex platform that requires users to stay up to date on new skills and technologies. Because of this, cloud-native applications have been a hot target for hackers with discoveries of malware campaigns like Hildegard highlighting how groups are able to launch a large-scale attack through a Kubernetes cluster when organizations are not resilient.

If security teams cannot prioritize or secure their Kubernetes deployment, the entire cloud application stack and larger organization are at high risk. When not protected, attackers are able to take advantage of cluster settings and escalate privileges to gain full control, which can result in company breaches and the exploitation of private data. Cybersecurity teams should follow these steps to better protect their data stored in the cloud from attack.

1. Configure the Kubernetes orchestration layer

The Kubernetes orchestration layer is an integral part of cloud-native platforms and allows for the optimization and streamlining of repeatable processes. It turns individual tasks in the cloud into an optimized workflow — reducing errors and increasing cost efficiency. It's essential that the orchestration layer is configured for ongoing protection and compliance.

Instrumenting and hardening Kubernetes for a secure deployment can often be complex and is best actioned by organizations in four stages.

1. Aligning on policies: Businesses must configure and use Kubernetes-native security controls including role-based access control (RBAC), pod security policies (PSP), network policies, and secrets management. These should be used, as a small change during deployment — like exposing an RDP port — could lead to a severe breach.

2. Better connecting DevOps and security: Locking down both the Kubernetes control and data plane configurations should be a priority for IT teams. There is an overwhelming number of settings that DevOps and security teams must collaborate on to set correctly and lock down a Kubernetes deployment.

3. Adding in an extra layer: Organizations should consider augmenting Kubernetes-native functions with additional controls, including micro-segmentation firewalls, encryption, and image scanning. Doing this ensures applications stay in compliance and secure in an ever-changing landscape.

4. Adopting a service mesh: A service mesh allows users to control how different elements of a cloud application share data with one another. This infrastructure layer in the cloud can document how Kubernetes applications interact. Configuring and protecting the broader Kubernetes ecosystem with service mesh mitigates risk between Kubernetes services through end-to-end encryption, saving time for IT teams in the long run.

2. Prioritize Kubernetes visibility and control

Observability and insight into an organization's Kubernetes is essential to achieving and maintaining cloud security. IT teams should aim for deep visibility into Kubernetes app performance, security, and availability to protect and evolve their infrastructure and business. With insights, IT teams can reduce outages and downtime, understand who and what is accessing and running their Kubernetes environment, discover the cause of potential cloud issues, and detect potential vulnerabilities.

Developing a deep level of visibility requires entrenched hooks in the container environment with access to core Kubernetes attributes, which is impossible through log monitoring alone. A Kubernetes security approach should provide kernel-level visibility into all Kubernetes activity, configuration settings, and security controls.

3. Utilize the CIS benchmark as a guardrail

Kubernetes has hundreds of possible configuration settings and many of them have profound security and compliance implications, often making it challenging for IT teams to configure their deployment securely. To address this concern, the Center for Internet Security (CIS) has shared a security guideline for configuring both the Kubernetes control and data planes. The CIS shares detailed recommendations around control plane components and configuration, worker nodes, kubelet, policies (including pod and network-specific), secrets management and admissions control. It is recommended that experts automatically run the CIS benchmarks to protect their Kubernetes deployment to its fullest extent. Teams should continue tracking and monitoring their clusters in real time and flag when a configuration change differs from a benchmark recommendation. If this is done routinely, the CIS benchmark becomes a strong guardrail that allows teams to adjust a deployment without impacting their security and compliance posture.

Kubernetes is an essential part of an organization's cloud platform and should be prioritized when taking steps to secure company data. Focusing on Kubernetes visibility, activity and configuration reduces the potential risks of blind spots and unforeseen attacks. Instrumentation and control of Kubernetes, in addition to leveraging the CIS benchmark, are essential steps to protecting Kubernetes in 2021 and beyond.

Brian Johnson is SVP, Cloud Security, at Rapid7
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.