3 Steps to Protect Kubernetes in 2021
June 10, 2021

Brian Johnson
Rapid7

The move to the cloud has steadily grown over the last decade, with more and more cloud-based applications released on a nearly daily basis. This growth is expected to accelerate even more in 2021, with a recent survey finding more than 40 percent of North America enterprise leaders want to significantly increase cloud spending this year. The pandemic has instigated a sense of urgency from leadership to ensure cloud applications are protected and as a result, security teams have had the considerable task of protecting these rapid deployments under extreme time constraints. Cloud computing and cloud native applications have become the foundation of digital business and security leaders must have the skills to protect them.

At the heart of these cloud-native applications is Kubernetes — one recent report found 85 percent of IT leaders agree that it is key to cloud-native application strategies. Kubernetes is a fast-moving and often complex platform that requires users to stay up to date on new skills and technologies. Because of this, cloud-native applications have been a hot target for hackers with discoveries of malware campaigns like Hildegard highlighting how groups are able to launch a large-scale attack through a Kubernetes cluster when organizations are not resilient.

If security teams cannot prioritize or secure their Kubernetes deployment, the entire cloud application stack and larger organization are at high risk. When not protected, attackers are able to take advantage of cluster settings and escalate privileges to gain full control, which can result in company breaches and the exploitation of private data. Cybersecurity teams should follow these steps to better protect their data stored in the cloud from attack.

1. Configure the Kubernetes orchestration layer

The Kubernetes orchestration layer is an integral part of cloud-native platforms and allows for the optimization and streamlining of repeatable processes. It turns individual tasks in the cloud into an optimized workflow — reducing errors and increasing cost efficiency. It's essential that the orchestration layer is configured for ongoing protection and compliance.

Instrumenting and hardening Kubernetes for a secure deployment can often be complex and is best actioned by organizations in four stages.

1. Aligning on policies: Businesses must configure and use Kubernetes-native security controls including role-based access control (RBAC), pod security policies (PSP), network policies, and secrets management. These should be used, as a small change during deployment — like exposing an RDP port — could lead to a severe breach.

2. Better connecting DevOps and security: Locking down both the Kubernetes control and data plane configurations should be a priority for IT teams. There is an overwhelming number of settings that DevOps and security teams must collaborate on to set correctly and lock down a Kubernetes deployment.

3. Adding in an extra layer: Organizations should consider augmenting Kubernetes-native functions with additional controls, including micro-segmentation firewalls, encryption, and image scanning. Doing this ensures applications stay in compliance and secure in an ever-changing landscape.

4. Adopting a service mesh: A service mesh allows users to control how different elements of a cloud application share data with one another. This infrastructure layer in the cloud can document how Kubernetes applications interact. Configuring and protecting the broader Kubernetes ecosystem with service mesh mitigates risk between Kubernetes services through end-to-end encryption, saving time for IT teams in the long run.

2. Prioritize Kubernetes visibility and control

Observability and insight into an organization's Kubernetes is essential to achieving and maintaining cloud security. IT teams should aim for deep visibility into Kubernetes app performance, security, and availability to protect and evolve their infrastructure and business. With insights, IT teams can reduce outages and downtime, understand who and what is accessing and running their Kubernetes environment, discover the cause of potential cloud issues, and detect potential vulnerabilities.

Developing a deep level of visibility requires entrenched hooks in the container environment with access to core Kubernetes attributes, which is impossible through log monitoring alone. A Kubernetes security approach should provide kernel-level visibility into all Kubernetes activity, configuration settings, and security controls.

3. Utilize the CIS benchmark as a guardrail

Kubernetes has hundreds of possible configuration settings and many of them have profound security and compliance implications, often making it challenging for IT teams to configure their deployment securely. To address this concern, the Center for Internet Security (CIS) has shared a security guideline for configuring both the Kubernetes control and data planes. The CIS shares detailed recommendations around control plane components and configuration, worker nodes, kubelet, policies (including pod and network-specific), secrets management and admissions control. It is recommended that experts automatically run the CIS benchmarks to protect their Kubernetes deployment to its fullest extent. Teams should continue tracking and monitoring their clusters in real time and flag when a configuration change differs from a benchmark recommendation. If this is done routinely, the CIS benchmark becomes a strong guardrail that allows teams to adjust a deployment without impacting their security and compliance posture.

Kubernetes is an essential part of an organization's cloud platform and should be prioritized when taking steps to secure company data. Focusing on Kubernetes visibility, activity and configuration reduces the potential risks of blind spots and unforeseen attacks. Instrumentation and control of Kubernetes, in addition to leveraging the CIS benchmark, are essential steps to protecting Kubernetes in 2021 and beyond.

Brian Johnson is SVP, Cloud Security, at Rapid7
Share this

Industry News

January 13, 2022

Infragistics announced the release of Infragistics Ultimate 21.2.

January 13, 2022

Jitterbit acquired PrimeApps, a Turkey-based innovator in low-code application development.

January 13, 2022

Mirantis announced the release of Mirantis Secure Registry (MSR) 3.0, which supports usage across any Kubernetes distribution.

January 12, 2022

DevOps Institute announced its lineup for 2022 events and webinars and plans for two new DevOps certifications.

January 12, 2022

Oxeye unveiled an open-source initiative with the introduction of Ox4Shell.

January 12, 2022

Quali Torque platform is now available to Microsoft Azure users on the Azure Marketplace.

January 11, 2022

CircleCI announced a free tier for CI/CD.

January 11, 2022

GlobalLogic, a Hitachi Group Company, announced availability of OpeNgine version 2.1.

January 11, 2022

The Application Security Division of NTT introduced the next phase of The WhiteHat Vantage Platform, Vantage Prevent, a patented solution that enables enterprises to conduct dynamic application security testing (DAST) at each phase of the development cycle and prevent exploitable vulnerabilities from reaching production.

January 10, 2022

BrowserStack announced the acquisition of Nightwatch.js, the open-source test automation framework.

January 06, 2022

BMC announced new capabilities and integrations across its BMC AMI (Automated Mainframe Intelligence) and BMC Compuware portfolios.

January 06, 2022

ShiftLeft announced that its Intelligent-SCA product added scanning and attackability analysis for JavaScript (JS) and the TypeScript (TS) language to the ShiftLeft CORE platform.

January 06, 2022

Progress announced the latest release of Progress Fiddler Everywhere, its popular web debugging proxy tool.

January 05, 2022

Solo.io announced a new open-source project, BumbleBee, that simplifies the developer experience for building, packaging, and distributing eBPF tools.

January 05, 2022

Forty8Fifty Labs and Old Street Solutions announced that they are partnering in the development and delivery of solutions that simplify the collaboration and use of Atlassian Jira and Confluence.