3 Steps to Protect Kubernetes in 2021
June 10, 2021

Brian Johnson
Rapid7

The move to the cloud has steadily grown over the last decade, with more and more cloud-based applications released on a nearly daily basis. This growth is expected to accelerate even more in 2021, with a recent survey finding more than 40 percent of North America enterprise leaders want to significantly increase cloud spending this year. The pandemic has instigated a sense of urgency from leadership to ensure cloud applications are protected and as a result, security teams have had the considerable task of protecting these rapid deployments under extreme time constraints. Cloud computing and cloud native applications have become the foundation of digital business and security leaders must have the skills to protect them.

At the heart of these cloud-native applications is Kubernetes — one recent report found 85 percent of IT leaders agree that it is key to cloud-native application strategies. Kubernetes is a fast-moving and often complex platform that requires users to stay up to date on new skills and technologies. Because of this, cloud-native applications have been a hot target for hackers with discoveries of malware campaigns like Hildegard highlighting how groups are able to launch a large-scale attack through a Kubernetes cluster when organizations are not resilient.

If security teams cannot prioritize or secure their Kubernetes deployment, the entire cloud application stack and larger organization are at high risk. When not protected, attackers are able to take advantage of cluster settings and escalate privileges to gain full control, which can result in company breaches and the exploitation of private data. Cybersecurity teams should follow these steps to better protect their data stored in the cloud from attack.

1. Configure the Kubernetes orchestration layer

The Kubernetes orchestration layer is an integral part of cloud-native platforms and allows for the optimization and streamlining of repeatable processes. It turns individual tasks in the cloud into an optimized workflow — reducing errors and increasing cost efficiency. It's essential that the orchestration layer is configured for ongoing protection and compliance.

Instrumenting and hardening Kubernetes for a secure deployment can often be complex and is best actioned by organizations in four stages.

1. Aligning on policies: Businesses must configure and use Kubernetes-native security controls including role-based access control (RBAC), pod security policies (PSP), network policies, and secrets management. These should be used, as a small change during deployment — like exposing an RDP port — could lead to a severe breach.

2. Better connecting DevOps and security: Locking down both the Kubernetes control and data plane configurations should be a priority for IT teams. There is an overwhelming number of settings that DevOps and security teams must collaborate on to set correctly and lock down a Kubernetes deployment.

3. Adding in an extra layer: Organizations should consider augmenting Kubernetes-native functions with additional controls, including micro-segmentation firewalls, encryption, and image scanning. Doing this ensures applications stay in compliance and secure in an ever-changing landscape.

4. Adopting a service mesh: A service mesh allows users to control how different elements of a cloud application share data with one another. This infrastructure layer in the cloud can document how Kubernetes applications interact. Configuring and protecting the broader Kubernetes ecosystem with service mesh mitigates risk between Kubernetes services through end-to-end encryption, saving time for IT teams in the long run.

2. Prioritize Kubernetes visibility and control

Observability and insight into an organization's Kubernetes is essential to achieving and maintaining cloud security. IT teams should aim for deep visibility into Kubernetes app performance, security, and availability to protect and evolve their infrastructure and business. With insights, IT teams can reduce outages and downtime, understand who and what is accessing and running their Kubernetes environment, discover the cause of potential cloud issues, and detect potential vulnerabilities.

Developing a deep level of visibility requires entrenched hooks in the container environment with access to core Kubernetes attributes, which is impossible through log monitoring alone. A Kubernetes security approach should provide kernel-level visibility into all Kubernetes activity, configuration settings, and security controls.

3. Utilize the CIS benchmark as a guardrail

Kubernetes has hundreds of possible configuration settings and many of them have profound security and compliance implications, often making it challenging for IT teams to configure their deployment securely. To address this concern, the Center for Internet Security (CIS) has shared a security guideline for configuring both the Kubernetes control and data planes. The CIS shares detailed recommendations around control plane components and configuration, worker nodes, kubelet, policies (including pod and network-specific), secrets management and admissions control. It is recommended that experts automatically run the CIS benchmarks to protect their Kubernetes deployment to its fullest extent. Teams should continue tracking and monitoring their clusters in real time and flag when a configuration change differs from a benchmark recommendation. If this is done routinely, the CIS benchmark becomes a strong guardrail that allows teams to adjust a deployment without impacting their security and compliance posture.

Kubernetes is an essential part of an organization's cloud platform and should be prioritized when taking steps to secure company data. Focusing on Kubernetes visibility, activity and configuration reduces the potential risks of blind spots and unforeseen attacks. Instrumentation and control of Kubernetes, in addition to leveraging the CIS benchmark, are essential steps to protecting Kubernetes in 2021 and beyond.

Brian Johnson is SVP, Cloud Security, at Rapid7
Share this

Industry News

November 30, 2023

Parasoft, a global leader in automated software testing solutions, today announced complete support for MISRA C++ 2023 with the upcoming release of Parasoft C/C++test 2023.2.

November 30, 2023

Solo.io achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 29, 2023

CircleCI implemented a gen2 GPU resource class, leveraging Amazon Elastic Compute Cloud (Amazon EC2) G5 instances, offering the latest generation of NVIDIA GPUs and new images tailored for artificial intelligence/machine learning (AI/ML) workflows.

November 29, 2023

XM Cyber announced new capabilities that provide complete and continuous visibility into risks and vulnerabilities in Kubernetes environments.

November 29, 2023

PerfectScale has achieved the Amazon Elastic Kubernetes Service (Amazon EKS) Ready designation from Amazon Web Services (AWS).

November 28, 2023

BMC announced two new product innovations, BMC AMI DevX Code Insights and BMC AMI zAdviser Enterprise.

November 28, 2023

Rafay Systems announced the availability of the Rafay Cloud Automation Platform — the evolution of its Kubernetes Operations Platform — to enable platform teams to deliver automation and self-service capabilities to developers, data scientists and other cloud users.

November 28, 2023

Bitrise is integrating with Amazon Web Services (AWS) to provide compliance-conscious companies with greater access to CI/CD capabilities for mobile app development.

November 28, 2023

Armory announced a new unified declarative deployment capability for AWS Lambda.

November 27, 2023

Amazon Web Services (AWS) and Salesforce announced a significant expansion of their long standing, global strategic partnership, deepening product integrations across data and artificial intelligence (AI), and for the first time offering select Salesforce products on the AWS Marketplace.

November 27, 2023

Veracode announced product innovations to enhance the developer experience. The new features integrate security into the software development lifecycle (SDLC) and drive adoption of application security techniques in the environments where developers work.

November 27, 2023

Couchbase announced a new Capella columnar service on Amazon Web Services (AWS), enabling organizations to harness real-time analytics to build adaptive applications.

November 21, 2023

Redgate announced the launch of Redgate Test Data Manager, which simplifies the challenges that come with Test Data Management (TDM) and modern software development across multiple databases.

November 21, 2023

mabl announced an integration with GitLab, the AI-powered DevSecOps platform.

November 21, 2023

FusionAuth announced the availability of new software development kits (SDKs) that support Angular, React and Vue JavaScript front-end frameworks.