The Secret: Kubernetes Edition
September 09, 2019

Ranny Nachmias
Alcide

So you think your K8s cluster is configured correctly?

Well … think again.

How do we know? Alcide just completed an analysis of Kubernetes multi-cluster vulnerabilities, and the results are not good. It turns out that in 89% of deployments, companies are not using Kubernetes' Secrets resources, with sensitive information wired in the open. Moreover, 75% of the deployments studied use workloads which mount high-vulnerability host file systems such as /proc and none of the deployments showed segmentation implementation using Kubernetes' network policies.

Secrets are a crucial functionality in Kubernetes that everyone should be using, so it's disheartening to learn that so many aren't taking advantage of the security benefits Secrets provide, and leaving themselves unnecessarily vulnerable.

Why You Need to be Using Secrets

Kubernetes users and/or administrators sometimes include sensitive information, such as usernames, passwords, and SSH keys, in their pods. But when credentials that grant access to systems that are critical to business functions (databases, web hosting accounts, encrypted email, various applications, etc.) are inserted verbatim into pod specs or container images, there is a very real risk of security breaches if anyone manages to hack into your code.

Secrets are essentially API objects that encode sensitive data, then expose it to your pods in a controlled way. This enables encapsulating Secrets by specific containers, or sharing them. A Secret stores the information and cloaks it from the pod so that it is black-boxed; all the pod knows is that it has permission to use this Secret, but it can't see the information contained within (and neither can anyone who hacks into your code).

How Secrets Work in Kubernetes Deployments

There are two ways in which a Secret can be used with a pod: as files in a volume mounted on one or more of its containers, or as environment variables. Pods do not have access to each other's Secrets, which further facilitates encapsulating sensitive data across multiple pods. Secrets are stored in tmpfs — not written to disk — and they are only sent to nodes that need them. When the pod containing the Secret is deleted, the Secret is deleted too. SSL/TLS protects communication between users and the API server. Containers in pods must request a Secret volume in its volumeMounts in order for it to be visible in the container. This enables constructing security partitions at the pod level.

How to Make Sure You're Using Secrets

Hopefully you're going to use Secrets from now on. The best way to ensure you're using Secrets the right way is to use a monitoring tool that can not only assess if Secrets are being used, but can also detect where sensitive information is exposed or not secured and needs to be using Secrets. You should know what workloads are allowed to access and communicate with what data. If communication between apps deviates outside their prescribed lines, those deviations should be flagged for DevOps and security teams to investigate. 

As new, data-intensive systems are spun up to keep pace with business needs, maintaining security should be a top concern for everyone. Gartner's report on cloud security asserts that through 2022, 95% of security failures will be the result of unintentional errors on the customer's part. 

In other words, if you're not using Secrets and your data gets compromised, you have no one to blame but yourself.

Ranny Nachmias is CEO and Co-Founder of Alcide
Share this

Industry News

June 01, 2020

IT Revolution announced a full conference agenda for DevOps Enterprise Summit London, June 23-25, 2020.

June 01, 2020

Caltech CTME announced that Simplilearn, a global provider of digital skills training, will collaborate with CTME (Caltech's Center for Technology and Management Education) to offer a specialized Post Graduate Program in DevOps software engineering.

June 01, 2020

DevOps Institute, a global member-based association for advancing the human elements of DevOps, announced the introduction of its SKILup Playbook Library, a dynamic collective body of knowledge (cBok) that aligns thought leadership from industry experts with a set of dynamic, orchestrated artifacts, research and assets.

May 28, 2020

Docker has extended its strategic collaboration with Microsoft to simplify code to cloud application development for developers and development teams by more closely integrating with Azure Container Instances (ACI).

May 28, 2020

Eggplant announced updates to its Digital Automation Intelligence (DAI) platform.

May 28, 2020

Aptum launched its Managed DevOps Service in partnership with CloudOps, a cloud consulting and professional services company specializing in DevOps.

May 27, 2020

Red Hat announced an expansion of its application services portfolio with the addition of Quarkus as a fully supported framework in Red Hat Runtimes.

May 27, 2020

Couchbase has completed a $105 million all-equity Series G round of fundraising.

May 27, 2020

Aqua Security closed a Series D round of $30M led by Greenspring Associates.

May 26, 2020

GitLab is releasing 13.0 of its DevSecOps platform to enable organizations to efficiently adapt and respond to new and dynamic business challenges.

May 26, 2020

Solo.io announced the availability of the Istio Developer Portal to streamline the developer onboarding process for improved developer experience and increased productivity with added security features.

May 26, 2020

WhiteHat Security will offer free application scanning services to any education institution to support secure online learning.

May 21, 2020

Exadel announced the Grand Prize winner of the “Appery.io COVID-19 Virtual Hackathon.”

May 21, 2020

CloudBees announced significant advances for its Software Delivery Management (SDM) platform – integrations with additional continuous integration and continuous delivery (CI/CD) engines, including Google Cloud Build and Tekton, and extension of the availability of CloudBees’ SDM Preview Program.

May 21, 2020

OutSystems is announcing over 70 development accelerators that ensure web and mobile applications created on the OutSystems low-code development platform can comply with the highest accessibility standards and regulations.