Organizations are rapidly moving their Kubernetes applications to production to accelerate feature velocity and drive digital transformation and business growth. Our latest State of Kubernetes Security survey report shows that companies have standardized on Kubernetes, and this rapid adoption offers equal parts promise and peril. Promise, in the form of infrastructure that enables far greater inherent security than ever before. And peril, as companies struggle to overcome a skills gap and configure the technology in the most secure manner.
Kubernetes workloads – often deployed across varying environments (cloud, on-prem, hybrid) – require a security approach that is portable; protects the full container life cycle; and leverages Kubernetes’ rich context, native controls, and scalable policy enforcement to build a bridge between DevOps and Security.
The following six Kubernetes security use cases top the list of priorities for most organizations that we surveyed – follow the best practices gleaned from your peers and shared here to get your organization on the right track.
1. Runtime threat detection and response
According to our report, runtime is the life cycle phase that customers are most worried about, and more people consider runtime detection a “must have” than any others. The security goal in this phase is to detect and respond to malicious activity in an automated and scalable way while minimizing false positives and alert fatigue. Kubernetes offers rich declarative data around images and deployments that delivers valuable context when assessing runtime behavior. Leverage this context to more accurately differentiate between simple anomalies and true threats, and use Kubernetes-native enforcement capabilities to mitigate runtime threats in the most automated and scalable manner.
DevOps moves fast and relies on automation for continuous improvement, so organizations need a compliance solution built to complement – not inhibit – the pace of business. You need to not only adhere to industry compliance requirements but also show evidence of that compliance. You should be able to show which clusters, nodes, or namespaces are compliant with all the individual controls relevant in container and Kubernetes environments from frameworks including CIS benchmarks for Docker and Kubernetes, PCI, HIPAA, and NIST SP 800-190. And it should be dead simple to run on-demand compliance checks and export evidence of compliance.
3. Configuration management
Misconfiguration poses the greatest security risk to containers and Kubernetes, with 67% of survey respondents experiencing a K8s misconfiguration in the last 12 months. In today’s DevOps-driven environment, configuration management must be as automated and streamlined as possible for it to not slow down application development and deployment. It should be comprehensive, covering containers, Kubernetes, and all their configurable components, including:
- Network policies
- Privilege levels
- Resource limits/requests
- Read-only root file systems
- Annotations, labels
- Sensitive host mount and access
- Image configuration, including provenance
4. Vulnerability scanning and management
Most organizations start with vulnerability management – the challenge is to quickly move beyond the limited value provided by image scanning. Organizations must also identify vulnerabilities in Kubernetes, and they need a way to quickly pinpoint newly discovered vulnerabilities in already running deployments. Start with vulnerability management, but demand more than image scanning for this use case.
Gaining visibility into your container and Kubernetes environments is at the root of being able to properly secure that environment. Only when your security tooling is fully embedded into Kubernetes can you understand your cloud-native infrastructure, including images, containers, pods, namespaces, clusters, and network policies. You need insights into how each is configured and whether they’re compliant with industry standards and your internal security policies.
6. Network segmentation
Containers pose a unique networking challenge because containers communicate with each other across nodes and clusters (east-west traffic) and outside endpoints (north-south traffic). Kubernetes provides built-in capabilities that enable network segmentation. Leverage those native controls to ensure consistent, portable, and scalable network segmentation regardless of your CNI plugin or Kubernetes distribution. Using the segmentation inherent in Kubernetes ensures that security and DevOps see and act on a single source of truth and consistent information to restrict access and reduce the blast radius.