Runtime context: the missing piece in Kubernetes security
Originally appeared on The New Stack. More and more organizations rely on Kubernetes to deploy and manage...
Mar 7, 2023
This article focuses on a critical missing component of Cloud Security Posture Management (CSPM): visibility into Kubernetes. Scroll down to read all you need to know about it.
Today, almost every business uses some form of cloud service. The fact that trusted technology companies (Amazon, Google, Microsoft) dominate the cloud market, has led to the false perception that the cloud is secure by default. Yet according to the 2022 Thales Cloud Security Study, 45% of organizations have experienced a data breach or failed an audit for the data or for applications running in their cloud. No industry or company division is immune to the many risks cloud pose, including malware, ransomware, and denial of service. Big players too, like Facebook, LinkedIn, Accenture, and Marriott International, have all fallen victim to such incidents.
There are many automated tools available to identify risks and solve potential problems in order to create a more secure cloud. Gartner came up with the term Cloud Security Posture Management (CSPM) for this category of applications. The primary goal of these tools is to explore and monitor IaaS and PaaS environments in order to find potential risks and automatically fix them. This mechanism saves valuable engineering time.
This article focuses on a critical missing component of CSPM: visibility into Kubernetes. The Kubernetes container orchestration system is unlike other cloud services in its architecture and layered workload management. For this reason, current CSPM tools fall short when it comes to securing Kubernetes clusters.
Kubernetes is the leading container orchestration platform. It offers critical features such as self-healing application management and service discovery out of the box. These features, and its extensibility, make Kubernetes much more than just a container orchestrator. In fact, it works in a similar way to an operating system, handling resource allocation, scheduling, networking, and data persistence.
Let’s review in brief how Kubernetes manages an application in the cloud. As an API-centric platform, Kubernetes and all its resources are declarative definitions. This requires specifying which container image and how many instances are required. For each container group, referred to as a pod in Kubernetes, it finds a suitable worker node to run.
If there are storage requirements, Kubernetes connects to the cloud storage provider to ensure that volumes are reserved, attached to nodes, and available to pods. When the pods want to connect to other containers or outside the cluster, Kubernetes provides in-cluster networking programming as well. If there are configurations to be distributed to pods, Kubernetes offers a way to access that data. Sensitive data such as certificates, passwords, or usernames are often distributed to pods in a similar fashion.
In order to access your application from the internet, Kubernetes offers gateway resources to make it accessible behind a load balancer service. As the application becomes more popular, with many incoming requests, Kubernetes can automatically scale up the number of pods by observing metrics. Thus, ensuring that all instances are healthy. It is even capable of increasing the cluster size if there is no room left for new pods.
All of these characteristics and processes are similar to how a cloud provider works. In other words, Kubernetes creates and operates a cloud within the cloud.
Though Kubernetes works like a cloud operating system, there is a critical missing piece: security by default. In its default form, Kubernetes is a platform open to all kinds of threats, in addition to the risks of the cloud platform. According to a Red Hat report from May 2022, 93% of users reported they’d had at least one security event in their Kubernetes environments in the preceding 12 months. Furthermore, 55% of participants reported having to delay or slow down application deployment due to a security concern. In short, the results show that Kubernetes security is critical, with nearly every user having experienced incidents. In fact, half of the participants stopped working on their deployments to Kubernetes due to security concerns.
Let’s take a look at the lifecycle of the applications running on Kubernetes to better understand the security challenges.
In this first stage, applications are built and packaged into containers.
The deployment stage focuses on putting applications into clusters:
Runtime covers all the operations after the deployment of applications:
When the security lifecycle is considered, it is clear that Kubernetes security brings its own challenges to the cloud ecosystem.
From the cloud provider point of view, Kubernetes is a service similar to a managed database or a storage bucket. It has a dashboard in the cloud console, and with just a couple of clicks, you can have a running Kubernetes cluster. CSPM uses a similar approach to evaluate Kubernetes. It focuses on permissions for VM nodes, network access in cloud networking, configuration, and policy checks at cloud service level.
However, Kubernetes creates its own layer on top of all the cloud services, complete with its own access management, network, and configuration. The characteristics and internal operations of Kubernetes are no more within the scope of CSPM than any other application you might deploy on a VM, and therefore are not covered by it. Relying solely on the CSPM toolset leads to insecure Kubernetes clusters.
Kubernetes Security Posture Management (KSPM) is a set of tools and processes, similar to CSPM, only to secure Kubernetes clusters and workloads. The mindset is much like CSPM, but the approach is Kubernetes-native, with the following characteristics:
Without these specific characteristics, CSPM barely scratches the surface of a Kubernetes cluster in terms of security posture management. However, a KSPM solution provides insights from inside the cluster and creates complete Kubernetes cluster security.
Kubescape is an open-source Kubernetes-native security platform covering the entire Kubernetes security lifecycle and CICD pipeline. The tool implements the core principles of KSPM:
Securing a cloud-native environment with a one-size-fits-all approach is impossible due to its scalable and flexible nature. Even well-established CSPM solutions fail to allow for the distinctive characteristics of Kubernetes architecture and security lifecycle. This is a result of CSPM tools using an agentless approach as well as their reliance on the APIs of public cloud providers. However, there are Kubernetes-native resources in a Kubernetes cluster that are only accessible via the Kubernetes API which are not covered by CSPM solutions. Relying on a CSPM alone for securing Kubernetes in your cloud environment while neglecting KSPM leaves you open to threats.
Start managing your Kubernetes securely with Kubescape, the open-source Kubernetes security platform. Watch a demo or sign up for free access to ARMO Platform, and discover additional enterprise features.
Editor’s note: This post was originally published in December 2022 and has been updated for accuracy and comprehensiveness.
From code to cluster, helm to node, we’ve got your Kubernetes covered:
Cut the CVE noise by significantly reducing CVE-related work by over 90%
Automatic Kubernetes compliance for CIS, NSA, Mitre, SOC2, PCI, and more
Manage Kubernetes role-based-access control (RBAC) visually
Originally appeared on The New Stack. More and more organizations rely on Kubernetes to deploy and manage...
The dynamic world of Kubernetes and cloud security is constantly evolving. As we explore this...
Kubernetes today is the de facto standard for container orchestration, deployment automation, scaling, and management...