From Zero to Hero: Kubernetes Security QuickStart
Lens AppIQ takes an application-centric approach to secure applications through their complex lifecycles. Here’s how this works, step by step.
Kubernetes has grown immensely, and its use within organizations is maturing. But while Kubernetes’ growth is exciting, security concerns around applications deployed on Kubernetes are mounting. Red Hat performed a survey with hundreds of DevOps professionals, and it showed that:
55% of delayed application releases are due to security issues.
94% of respondents experienced at least one Kubernetes security incident in the past year.
59% said security is their biggest concern as they continue to use Kubernetes and containers.
Application security risks
Securing applications deployed on Kubernetes can be complex, especially if your applications are deployed across multiple clusters.
Securing applications end-to-end will require you to cover a large surface area and address items such as:
Image scanning
Control of which registries developers can pull images from when deploying apps
Visibility over application changes and events
Network policies to ensure applications can only send and receive data as required.
Pod security policy
RBAC
Quality of service
Application security stages
Security requires that steps be taken at each stage of application creation and deployment, including securing the application’s runtime environment.
Building a strong security posture requires you to secure the complete lifecycle of your applications and be able to report and track changes that happen across the different stages (see illustration).
This is challenging. Today, most tools require you to develop and maintain cluster-specific and complex security, which makes it:
Difficult to scale, especially as you adopt new clusters or technologies as part of the underlying stack
Complex for security teams to adjust policies as compliance requirements change
Non-dynamic, so seeing how applications comply with or violate policy changes can be daunting and time-consuming
Difficult to onboard new members and have them quickly understand how your applications are secured
Difficult to track application changes over time and understand how this affects your security posture
Application security made for applications
Because of the complexities above, Lens AppIQ took an application-centric approach to help DevOps and Platform Engineering teams secure their applications across different aspects and stages of their application lifecycle.
How secure are my applications?
That sounds like a simple question, right? But try answering that question when you have different teams deploying several services across different clusters!
If you go down the path of creating endless complex rules, you’ll spend a lot of time and only add complexity to your deliverables. In the end, you’ll have to not only create those rules, but also manage them.
Tutorial: use Lens AppIQ policies to secure apps
To address that, we will use Lens AppIQ’s application discovery capabilities. To get started, you can create a free account here.
Connecting your cluster
Once you log into your account, click on Connect Cluster
A dialog box will open up in your window. Enter a name to identify your cluster (optional) and click the button labeled Generate Command. Lens AppIQ will generate a Magic Link and display it as part of a kubectl command that you can easily copy and run in your cluster.
For more detail about this, please check the Lens AppIQ documentation
With your cluster successfully connected, Lens AppIQ will automatically discover your applications.
Creating and Applying Policies
Now that you have a clear view of your applications, you can start creating policies. Policies in Lens AppIQ allow you to enforce security, compliance, and other rules across your applications. To enforce a policy simply attach it to the desired namespace of your cluster. Once the policy has been attached to the clusters' namespace, deploy an application to that same cluster and namespace.
In the first step of the policy creation workflow, you can define the general settings for your policy rules.
Give your policy a descriptive name
You can use this as a strategy to separate between Production and Development or to isolate application information from different clusters, environments, projects, teams, or others.
Resource Consumption Rules
Resource consumption rules allow you to limit CPU and memory usage for applications. Here, you can define limits that trigger policy violations if exceeded.
Access Control
Access control lets you choose which teams can benefit from the policy after its creation. You can select multiple teams and make the rules public for wider access.
Auto Scaling
Auto-scaling enables you to control application scalability using Kubernetes' Horizontal Pod Autoscaler (HPA). Set thresholds for autoscaling based on CPU percentage and replicas.
Registry Control
Limit registries from which application images can be pulled. Specify multiple registry URLs in this step.
Application Control
Define node selector rules and allow CNAMEs for applications using this rule. Ensure applications meet specific criteria for deployment.
Network Policy Setup
You can easily enforce detailed network policies for applications deployed through this rule. Decide if these policies should be customizable at the application level.
Security Scans
Lens AppIQ offers built-in security scans based on Clair. Configure whether to enable or disable application and platform scans. You can also specify components and CVEs to ignore during scans.
Applying Policies
After you've created a policy in Lens AppIQ, it's time to apply it to a specific namespace to start enforcing security and compliance rules on your applications.
First, click on the "Policies" section in Lens AppIQ.
Select the clusters and namespaces that you want to apply your policy.
After selecting. Click “attach.”
Lens AppIQ will now start monitoring and enforcing the policy rules on applications within those clusters and namespaces.
Editing Policies
After creating policies, you may need to make changes. Editing policies in Lens AppIQ is straightforward. Simply navigate to the policy you want to edit in the "Policies" section and click "Edit."
Ensuring Compliance and Control
Once your policies are meticulously crafted and applied to your specific cluster and namespace, Lens AppIQ's robust capabilities come into play. The platform continually scans your applications for any violations based on the rules you've defined. This proactive approach ensures that your applications remain compliant and secure, significantly reducing the risk of unexpected issues.
But that's not all; Lens AppIQ empowers you to stay ahead of the game by setting up alerts triggered by any policy violations. These alerts serve as early warning signals, promptly notifying you of any anomalies so you can take swift corrective actions.
In addition to real-time alerts, Lens AppIQ provides comprehensive violation reports. These reports offer deep insights into compliance and control across your applications, helping you maintain a strong security posture. With Lens AppIQ, you can rest assured that your applications are not just secure but also fully compliant with your defined policies.
Conclusion
Lens AppIQ provides a structured end-to-end security model for microservices-based applications. One that enables you to quickly define compliance models and apply them to your applications without the need to develop and maintain complex cluster-level security definitions.
In our next blog post, we'll delve deeper into Lens AppIQ's powerful features by exploring how it generates detailed violation reports and provides intelligent insights into your applications. Stay tuned to learn how to effectively address and resolve any security or compliance issues within your Kubernetes environment.
