Whether or not that's an entirely reasonable assertion, there are thousands of security risks that can affect your business, and all of them are in some way related to external influences. This article looks at the influence of cloud-based threats on your business, and how to secure your containerized apps through properly securing the most popular container orchestrator: Kubernetes.
Where Apps Reside
Many businesses rely on containerized apps. They do so either to help them build and deploy faster to ensure that their digitization (also business transformation) processes are leading to positive results through faster time to deployment and updates. Containerized apps are often plugged directly into back-ends through complex systems of APIs that ultimately enable the quick and painless onboarding of third-party technologies that would otherwise take a great deal of time to onboard.
The problem with containerized apps is that they're liable to be attacked, like any other type of software, but the security threats are different and need a different approach. Most business are running some of their most critical workloads as containerized apps in the cloud, and any interruption, downtime, or security threat to these apps can wreak havoc with their business processes and will ultimately lead to your business losing money. In order to avoid this situation, they need to protect your cloud-based apps and the container orchestrators like Kubernetes.
How Kubernetes Works
A large team of thousands of scientists, researchers and developers build and maintain Kubernetes (since it has been open-sourced by its original creator, Google). At the same time, containers and Kubernetes pose new security challenges that should be addressed as you build your images into containers and pods, and deploy those pods into your running clusters.Some of those challenges include:
- Kubernetes is easy to misconfigure
- Network policies are by default insecure
- The built-in security capabilities are sometimes hard to operationalize
For example, Kubernetes role-based access control (RBAC) is essentially the critical access control center for your containerized workloads, and it's where you're going to be able to regulate access to your network and your container resources. But it's easy to misconfigure the RBAC settings and make them overly permissive for easy and speed of development.
How to Maintain Your Kubernetes Security
Building a containerized app with Kubernetes security in mind is highly recommended. The shared responsibility model of cloud security dictates that you are in charge of how you build your application on IaaS platform. Here are a few ways to improve the security of your k8s:
- Turn on RBAC
- Ensure that you're not running containers in privileged mode, unless absolutely necessary
- Enforce resource use limits on containers and pods
- Start security early; don't wait until you're app is about to go into production to think about security
- Scan your images on a regular basis, and make sure images that haven't been scanned in 90 days are not being used
- Use trusted image registries, and blacklist any that isn't a trusted registry
- Automate your security as much as possible and integrate security checks into your continuous improvement/continuous deployment pipeline
- Isolate your pods by default, and write network policies that explicitly allow specific communication paths
This introduction to the complex world of Kubernetes security should help developers build and deploy more security applications that are being orchestrated by Kubernetes.