How to simplify Kubernetes security

Eric Gregory - January 14, 2023
image

The new year has barely begun, and the security hits just keep coming—from news of a breach at CircleCI to the revelation of massive data exposure at LastPass (with the latter stemming from a single compromised developer environment). 

Bad actors are aggressively sniffing out vulnerabilities in software supply chains and workflows—and if you’re using Kubernetes, that makes it especially urgent to grapple with security.

Simply getting started with Kubernetes can be a struggle for many teams, and securing it can be particularly daunting. The attack surface can be large and complicated, and misconfiguration is all too easy. That’s one reason why Kubernetes security issues are so common. In fact, a study from security firm Armo found that out of 10,000 analyzed clusters, 100% had at least one misconfiguration error.

Securing Kubernetes is challenging—but it also represents an opportunity to take stock of your existing security paradigm, analyze the gaps, and reformulate your approach. 

Better yet, with the right approach you can simplify the security equation and focus on your applications. Here are four ways to help you breathe easier and move forward with confidence:

Secure your software supply chain with CI/CD integrations

Development with containers can move so quickly in part because developers can use build on top of existing container images. But if those images are compromised–perhaps several layers down, in a dependency of a dependency—then suddenly you can find a rot spreading through your entire edifice. 

If your team is developing on Kubernetes, you need a security-oriented CI/CD pipeline with integrated security tools:

  • Private container image registry: Ensures that developers only utilize approved container images.

  • Vulnerability scanner: Continuously evaluates images–ideally at a binary level–against a regularly updated vulnerability database to surface potential issues.

  • Image signing and validation: Signs images for builds and automatically promotes to further stages of the pipeline.

These tools should function automatically in order to support rapid development at scale (and to minimize human error). With these measures in place, developers don’t have to worry about the provenance of an image or waste time scanning for vulnerabilities—they can simply focus on code.

Observability

Understanding what is happening on a Kubernetes cluster is paramount for many reasons, from cost control to debugging to—yes—security. 

Without a correctly-tuned observability system, Kubernetes can become a black box—and that’s a particularly urgent problem as castle-and-moat style security thinking becomes finally and definitively obsolete. Today, you have to be able to detect and proactively respond to anything that may be amiss in your system.

The open source Prometheus project is the industry standard, scraping metrics from an array of Kubernetes resource types (nodes, pods, services, and so on) and then enabling you to query those metrics or make further use of them through API endpoints. 

Prometheus can be integrated with Grafana, an open source project for visualizing Kubernetes data and making it easier to consume. Lens enables users to set up a Prometheus and Grafana stack on a given Kubernetes cluster at the click of a button. 

Zero trust and RBAC

Breaches accomplished through compromised developer environments underscore the importance of a zero trust security strategy. With this approach, all user privileges are authenticated and continuously validated, with no differentiation between users inside and outside a given network. Indeed, everything in your system is monitored and validated on an ongoing basis. 

In an age of distributed infrastructure and remote work, zero trust is mandatory. (To be frank, old-school “castle-and-moat” style security architectures would have been much more robust with a zero trust approach as well.) But getting started is non-trivial. Kubernetes gives you a well-suited, resource-aware substrate, and the observability tools discussed above help provide rolling insight into your systems. But how about your team?

When you extend access privileges to your team, it’s critical to observe the principle of least privilege, giving them exactly as much access as they need—and no more. This can be challenging to manage at scale without a role-based access control (RBAC) system that enables you to grant appropriate privileges based on their roles. 

Kubernetes’ RBAC capabilities are limited out of the box, but tools like Lens can help to simplify the task, giving you the power to manage RBAC quickly and easily.

DevOps-as-a-Service

Not every team has the resources to stand up complex security architecture quickly—and as we’ve seen, even big teams can make grave misconfiguration errors. As DevOps grows to DevSecOps and security questions insinuate themselves into every part of the software lifecycle, teams should consider consuming security-conscious DevOps as a service

Services like Lens Autopilot integrate the fundamentals of modern security in a fully managed system that enables developers to focus on development, and the rest of the team to breathe easy. Thoughtful CI/CD automations, proactive incident response, and 24x7 monitoring and alerting mean that Lens Autopilot can guarantee a 75% reduction in security vulnerabilities…along with a 2x-4x reduction in costs and 5-10x acceleration in deployment speeds. 

You can learn more about Lens Autopilot here. If you’d like to check out Lens, the world’s most popular Kubernetes development environment and the foundation for Lens Autopilot, you can download it for free here.