This week in cloud news: 8/16/21
The NSA tells you how to protect your Kubernetes clusters
This week the National Security Agency released its Kubernetes Hardening Guidance, providing a fairly comprehensive look at the threats to a Kubernetes cluster and how to mitigate them. The report details the various types of threats, including:- Supply Chain Risk: This risk involves the entire process of providing your software, including not just your product, but also third party products and even personnel. These attacks can happen at both the container and infrastructure level.
- Malicious Threat Actor: Your typical "hacker" attack, these threats include not just data theft but also resource theft, as these malicious actors run software on your infrastructure for its own sake. All levels of a Kubernetes cluster are vulnerable to these attacks, including the control plane, the worker nodes, and the containerized applications themselves.
- Insider Threat: Perhaps the most insidious, these attacks can be the most devastating due to the additional access and knowledge personnel such as administrators, application developers, and even cloud providers may have.
- Kubernetes Pod security
- Network separation and hardening
- Authentication and authorization
- Log auditing
- Upgrading and application security practices
Definitely worth a read.
Nirmata completes funding round based on Kyverno
Meanwhile, Kubernetes company Nirmata has raised $4 million in pre-series A funding based on their Kubernetes Native Policy Management tool, Kyverno. Kyverno makes it possible for operators to automate functions such as creating network policies or defining a default securityContext for pods that don't define one.Since the beginning of 2021, Kyverno’s adoption quickly soared to over six million downloads, with a growing number of users including Novartis, The New York Times, Duke Energy, TriNet, Grofers and others. It is used by open source projects like Flux, KubeArmor and others. In May 2021, Nirmata Policy Manager for Kyverno (PMK) was launched to streamline the adoption of Kyverno across multiple clusters as well as facilitate Policy-as-Code best practices by enabling the deployment of Kyverno policies across fleets of clusters using GitOps workflows.
Once Kyverno has been deployed inside a Kubernetes cluster, “[i]t has visibility to every request made to Kubernetes and can apply policies based on specified triggers and conditions,” Nirmata cofounder and VP of products Ritesh Patel told VentureBeat.
Kubernetes 1.22 released
Kuberenetes 1.22 was released last week, in what was the first release in the project's new release cadence. The new three-times-a-year schedule is meant to improve feature planning and to ease the burden on users, who will have fewer upgrades to wrangle.The new release features a number of themes, including:
- Root-less access: A new alpha feature enables all Kubernetes node components (including the kubelet, kube-proxy, and container runtime) can be run as a non-root user. This capability is also included in the kubeadm tool.
- Windows support: While Kubernetes development and use has primarily been focused on Linux, the project's Windows SIG has released a Development Environment that enables Windows developers to easily spin up a two node Kubernetes cluster directly in their Windows environment by compiling Windows binaries. Windows support also sees other improvement, such as the production release of Container Storage Interface (CSI) support for Windows nodes and the alpha release of Windows privileged containers.
- Swap space support: One of the advantages of Linux is its ability to enhance memory usage by utilizing "swap" space on the storage system, but until this release administrators have had to disable this capability. The option to use block storage as additional virtual memory is an alpha feature in this release.
- External credential providers: The ability to interface with external credential providers has existed for several years, but until now it has been marked as "beta" or unsuitable for production use, but that changes with this release, where it is marked "stable".
- Default seccomp profiles: As an alpha feature, it is now possible to specify a cluster-wide default seccomp profile. According to the release blog, "When in use, this new feature provides cluster-wide seccomp defaults, using the RuntimeDefault seccomp profile rather than Unconfined by default. This enhances the default security of the Kubernetes Deployment. Security administrators will now sleep better knowing that workloads are more secure by default. To learn more about the feature, please refer to the official seccomp tutorial."