6 Key Kubernetes DevSecOps Principles: People, Processes, Technology - Part 1
August 04, 2022
Bridgecrew

Container-based application deployment is at its peak, as is the popularity of orchestration platforms like Kubernetes that form the underlying infrastructure for containerized applications. Because of its ability to orchestrate and automate application deployment, scaling, and management, Kubernetes has become the de-facto deployment and orchestration tool for cloud-native applications.

We cannot talk about securing container-based applications without talking about DevSecOps.

This methodology has risen to take advantage of the agility between operations and development teams to create end-to-end security mindfulness. It is an approach that aims to integrate security throughout the application lifecycle to distribute responsibility for security between DevOps and security teams. Traditional security methods don't quite cut it for cloud-native technologies as they happen outside of development processes and primarily take into account the runtime state of resources. That's why automated, built-in security must become a priority within containerized hybrid cloud environments.

Building a DevSecOps strategy requires not only the right tooling but also the right culture. In this 2-part post, we'll introduce you to several principles to keep in mind when developing a Kubernetes infrastructure strategy or improving an existing one.

Key DevSecOps Principles for Kubernetes Infrastructure

When we talk about Kubernetes as a container orchestration platform, we are referring to the loosely coupled set of building blocks that provide mechanisms to deploy, maintain, and scale container applications. Generally speaking, Kubernetes is composed of a set of clusters made up of nodes. There are one or more pods within each node, and each pod consists of one or more containers. The containers are used to host containerized application images.

When we talk about Kubernetes security, we are talking about system-level security mindfulness, combining the security of the application code with the security of the image composition and dependencies, and finally, the configuration of the surrounding Kubernetes infrastructure from the Kubernetes manifests for the deployment to the core components of the cluster itself. This system truly spans development, security, and ops.

The goal of Kubernetes-based DevSecOps strategies should be to align those teams to implement consistent guardrails and automate them across the Kubernetes development lifecycle.

Infrastructure Automation with IaC

Infrastructure as code (IaC) is key to embracing DevSecOps, especially when Kubernetes is involved. Functionally, IaC makes it easier to systematically operate cloud and Kubernetes infrastructure through machine-readable, version controllable templates. In that way, it allows you to manage your cloud infrastructure in the same way that you manage your apps, services, and other code and eliminates the need for manual setup as well as the creation of one-time scripts that you would otherwise need to perform infrastructure changes.

From a security standpoint, IaC templates such as Kubernetes manifests (or more modular components such as Helm charts and Kustomize files) allow for early and automated detection of security misconfigurations. Being able to enforce security best practices such as Kubernetes CIS benchmarks as early as possible is crucial and is enabled in large part by IaC.

Immutability

An important principle for Kubernetes, especially when leveraging IaC, is to understand and strive for immutability. In the realm of infrastructure provisioning, immutability means that system components from container images that have been deployed previously can only be modified at the source and not at runtime.

Functionally, this allows for faster iterations and more frequent updates during which these components are ripped down, updated, tested, verified, and then re-deployed. This approach is also required to incorporate DevSecOps fully and to persist security best practices baked into build-time all the way to runtime. Kubernetes environments can be used to impose security regulations such as limiting the system-level actions that an application is allowed to execute, requiring CPU and memory limits, and blocking the launch of containers.

Integration with CI/CD pipelines

CI/CD pipelines are the heartbeat of agile product organizations, allowing for the automated integration and delivery of software from code development to production deployment.

Continuous integration (CI) is the process of automating building and packaging software. Modern CI tools spin up ephemeral instances to create build artifacts and then spin them down once it's complete. Those ephemeral environments allow for functional testing as well as security scanning—from checking Kubernetes manifests for misconfigurations to identifying known vulnerabilities.

Continuous delivery (CD) is also required to safely and quickly roll out changes to your running Kubernetes workloads by standing up test infrastructure and, in some instances, creating parallel deployment instances for easier switching in case of downtime.

When leveraging IaC and Kubernetes, CI/CD allows for not only greater efficiency and productivity but also a higher level of security when it comes to deploying containerized applications.

Go to: 6 Key Kubernetes DevSecOps Principles: People, Processes, Technology - Part 2

Share this

Industry News

August 16, 2022

Canonical welcomes the .NET development platform, one of Microsoft’s earliest contributions to open source projects, as a native experience on Ubuntu hosts and container images, starting in Ubuntu 22.04 LTS.

August 16, 2022

Veracode announced the launch of the Veracode Velocity Partner Program.

August 16, 2022

Render announced a new monorepository feature that enables its customers to keep all of their code in one super repository instead of managing multiple smaller repositories.

August 15, 2022

Gadget announced Connections, a major new feature that gives app developers access to building blocks that enable them to build and scale ecommerce apps in a fraction of the time, at a fraction of the cost.

August 15, 2022

Opsera is on the Salesforce AppExchange to help enterprise customers shorten software delivery cycles, improve pipeline quality and security, lower operations costs and better align software delivery to business outcomes.

August 15, 2022

Virtusa Corporation earned the DevOps with GitHub on Microsoft Azure advanced specialization, a validation of a services partner's deep knowledge, extensive experience and proven success in implementing secure software development practices applying DevOps principles and using Azure and GitHub solutions.

August 15, 2022

Companies looking to reduce their cloud costs with automated optimization can now easily procure CAST AI via Google Cloud Marketplace using their existing committed spend.

August 11, 2022

Granulate, an Intel Company, announced the upcoming launch of its latest free cost-reduction solution, gMaestro, a continuous workload and pod rightsizing tool for Kubernetes cost optimization.

August 11, 2022

Rezilion announced the availability of MI-X, a newly created open-source tool developed by Rezilion's vulnerability research team.

August 11, 2022

Contrast Security announced its enhanced application programming interface (API) security capabilities within the Contrast Secure Code Platform.

August 10, 2022

Mirantis made it even easier to integrate Mirantis Container Cloud into developer workflows and provide developers and operators with easy access and visibility into the Kubernetes clusters with the Mirantis Container Cloud Lens Extension announced today.

August 10, 2022

ArmorCode announced an integration with Traceable AI which will bring its data into the ArmorCode platform and improve Application Security Posture from code to cloud.

August 10, 2022

Quali unveiled enhanced features for its Torque platform to unify infrastructure orchestration and governance.

August 09, 2022

Veracode announced the enhancement of its Continuous Software Security Platform with substantial improvements to its integrated developer experience.

August 09, 2022

Normalyze announced General Availability for its Freemium offering, a self-serve, free platform that democratizes data discovery and classification in all three public clouds, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).