Kubernetes Security: Common Myths & Facts


Kubernetes Security: Common Myths & Facts

December 1, 2020 - by Jayalakshmi Elango | appeared on faun

Popular Kubernetes security myth & facts

Containers & Kubernetes have revolutionized the way applications are deployed at scale. One of the top concerns that every enterprise faces is to optimize the underlying infrastructure for containers. Although K8s comes with significant built-in features designed specifically for simplifying container orchestration, configuring, deploying, and managing them may be a bit overwhelming for an organization. In many cases, a lack of expertise with containers & K8s has given way to misconceptions and deep-rooted concerns. Many sources point to security remaining the top concern when it comes to Kubernetes adoption.

StackRox released the ‘State of Kubernetes and container safety report’ in Sep 2020, in which it found that nearly 90% of the respondents have experienced a security incident over the last 12 months.

One reason for this could be the uncertainties and risks associated with security during each deployment phase. The K8s era has triggered the left-shifting of security, which calls for effective collaboration between security, DevOps, and dev throughout the development lifecycle. An optimal solution across K8s DevOps life cycle is crucial. In this article, we will look at a few common myths around K8s security and try to arrive at actionable workarounds.

Myth: Kubernetes runs similarly across dev/test & prod environments

Fact: Kubernetes helps in providing a consistent environment, but it doesn’t mean that K8s run similarly in all environments. It differs significantly when running on a developer’s laptop to that of a production server.

Some key components like certificate management, monitoring, and logging are present only in the production server.

In Kubernetes, namespace enables the management of different environments within the same cluster and helps establish security boundaries and apply security controls like Network Policies during the deployment phase.

Myth: Kubernetes dashboard, in general, is a security risk

Fact: The security concern is not directly related to the dashboard itself, but it accounts for how well you deploy it. Tesla, in 2018, had a major security breach that compromised the Kubernetes infrastructure. The core AWS API keys were visible to the attackers.

Some incidents can be avoided if we follow certain practices such as,

  • Setting up the service account dashboard with appropriate privileges,
  • Use an authenticating reverse proxy to inject a user’s JWT into each request and,
  • Usage of TLS for internal and external communications.

A dashboard gives an excellent insight into what’s happening inside the Kubernetes cluster. HTTP between an authenticating proxy & dashboard with a self-signed certificate is ideal for mitigating any risk.

Myth: Container images are lower security threats

Fact: For large application deployments, there’s always a huge demand for container images where they are typically created without upgrading the older images. These aged images are not safe, as they’re simple to track and subject to vulnerability against malicious threats.

Hence, enterprises should ensure that, curated container image registry is available for use across teams, they use only trusted images, and enforce digitally signed images.

While Kubernetes is a complex platform that brings scalability and efficient resource utilization, knowing how to avoid security risks can be crucial to realize value. The road to K8s security management can start with an enterprise-grade technology that takes care of deployment security best practices.

Secure app delivery with left-shifted
security & DevSecOps