3 Steps to Protect Kubernetes in 2021
June 10, 2021

Brian Johnson
Rapid7

The move to the cloud has steadily grown over the last decade, with more and more cloud-based applications released on a nearly daily basis. This growth is expected to accelerate even more in 2021, with a recent survey finding more than 40 percent of North America enterprise leaders want to significantly increase cloud spending this year. The pandemic has instigated a sense of urgency from leadership to ensure cloud applications are protected and as a result, security teams have had the considerable task of protecting these rapid deployments under extreme time constraints. Cloud computing and cloud native applications have become the foundation of digital business and security leaders must have the skills to protect them.

At the heart of these cloud-native applications is Kubernetes — one recent report found 85 percent of IT leaders agree that it is key to cloud-native application strategies. Kubernetes is a fast-moving and often complex platform that requires users to stay up to date on new skills and technologies. Because of this, cloud-native applications have been a hot target for hackers with discoveries of malware campaigns like Hildegard highlighting how groups are able to launch a large-scale attack through a Kubernetes cluster when organizations are not resilient.

If security teams cannot prioritize or secure their Kubernetes deployment, the entire cloud application stack and larger organization are at high risk. When not protected, attackers are able to take advantage of cluster settings and escalate privileges to gain full control, which can result in company breaches and the exploitation of private data. Cybersecurity teams should follow these steps to better protect their data stored in the cloud from attack.

1. Configure the Kubernetes orchestration layer

The Kubernetes orchestration layer is an integral part of cloud-native platforms and allows for the optimization and streamlining of repeatable processes. It turns individual tasks in the cloud into an optimized workflow — reducing errors and increasing cost efficiency. It's essential that the orchestration layer is configured for ongoing protection and compliance.

Instrumenting and hardening Kubernetes for a secure deployment can often be complex and is best actioned by organizations in four stages.

1. Aligning on policies: Businesses must configure and use Kubernetes-native security controls including role-based access control (RBAC), pod security policies (PSP), network policies, and secrets management. These should be used, as a small change during deployment — like exposing an RDP port — could lead to a severe breach.

2. Better connecting DevOps and security: Locking down both the Kubernetes control and data plane configurations should be a priority for IT teams. There is an overwhelming number of settings that DevOps and security teams must collaborate on to set correctly and lock down a Kubernetes deployment.

3. Adding in an extra layer: Organizations should consider augmenting Kubernetes-native functions with additional controls, including micro-segmentation firewalls, encryption, and image scanning. Doing this ensures applications stay in compliance and secure in an ever-changing landscape.

4. Adopting a service mesh: A service mesh allows users to control how different elements of a cloud application share data with one another. This infrastructure layer in the cloud can document how Kubernetes applications interact. Configuring and protecting the broader Kubernetes ecosystem with service mesh mitigates risk between Kubernetes services through end-to-end encryption, saving time for IT teams in the long run.

2. Prioritize Kubernetes visibility and control

Observability and insight into an organization's Kubernetes is essential to achieving and maintaining cloud security. IT teams should aim for deep visibility into Kubernetes app performance, security, and availability to protect and evolve their infrastructure and business. With insights, IT teams can reduce outages and downtime, understand who and what is accessing and running their Kubernetes environment, discover the cause of potential cloud issues, and detect potential vulnerabilities.

Developing a deep level of visibility requires entrenched hooks in the container environment with access to core Kubernetes attributes, which is impossible through log monitoring alone. A Kubernetes security approach should provide kernel-level visibility into all Kubernetes activity, configuration settings, and security controls.

3. Utilize the CIS benchmark as a guardrail

Kubernetes has hundreds of possible configuration settings and many of them have profound security and compliance implications, often making it challenging for IT teams to configure their deployment securely. To address this concern, the Center for Internet Security (CIS) has shared a security guideline for configuring both the Kubernetes control and data planes. The CIS shares detailed recommendations around control plane components and configuration, worker nodes, kubelet, policies (including pod and network-specific), secrets management and admissions control. It is recommended that experts automatically run the CIS benchmarks to protect their Kubernetes deployment to its fullest extent. Teams should continue tracking and monitoring their clusters in real time and flag when a configuration change differs from a benchmark recommendation. If this is done routinely, the CIS benchmark becomes a strong guardrail that allows teams to adjust a deployment without impacting their security and compliance posture.

Kubernetes is an essential part of an organization's cloud platform and should be prioritized when taking steps to secure company data. Focusing on Kubernetes visibility, activity and configuration reduces the potential risks of blind spots and unforeseen attacks. Instrumentation and control of Kubernetes, in addition to leveraging the CIS benchmark, are essential steps to protecting Kubernetes in 2021 and beyond.

Brian Johnson is SVP, Cloud Security, at Rapid7
Share this

Industry News

June 22, 2021

Red Hat announced new end-to-end Kubernetes-native decision management capabilities as part of the latest release of Red Hat Process Automation.

June 22, 2021

GitLab announces the next iteration of its single application with its 14 release.

June 22, 2021

Transposit introduced new platform capabilities which are developer-friendly, but built for all.

June 22, 2021

Plutora transitioned to an expanded data-centric platform, added additional metrics to monitor and manage value stream flow, and deepened its integrations with Agile planning tools.

June 22, 2021

Opsera announces its native Salesforce CI/CD release automation functionality.

June 21, 2021

Render announced the general availability of autoscaling.

June 21, 2021

Grafana Labs acquired k6, the Stockholm-based startup behind the open source load testing tool for engineering teams.

June 17, 2021

Bitrise announced the release of its new enterprise-grade Mobile DevOps platform.

June 17, 2021

Perforce Software announces a partnership with Microsoft to deliver the free Enhanced Studio Pack, providing development tools in a click-to-start model on the Azure cloud.

June 17, 2021

Tigera announced the availability of Calico Cloud in the Microsoft Azure Marketplace.

June 16, 2021

Red Hat announced the general availability of Red Hat’s migration toolkit for virtualization to help organizations accelerate open hybrid cloud strategies by making it easier to migrate existing workloads to modern infrastructure in a streamlined, wholesale manner.

June 16, 2021

BrowserStack announced it has secured $200 million in Series B funding at a $4 billion valuation.

June 16, 2021

Harness announced significant platform updates that address gaps in today's developer and DevOps market.

June 15, 2021

Broadcom announced new capabilities for Value Stream Management (VSM) in its ValueOps software portfolio, seamlessly combining the proven investment planning features of Clarity™ with the advanced Agile management capabilities of Rally® software.

June 15, 2021

Copado announced its Summer 21 Release, opening up its platform for true multi-cloud DevOps for enterprise SaaS and low-code development.