The State of Kubernetes Security in 2020
There has been a significant shift in the Kubernetes community to security topics in the past year. According to the StackRox State of Container and Kubernetes Security Report, Fall 2020, human error causes most security incidents in Kubernetes, with misconfigurations contributing to roughly 67% of cases reported by survey respondents. At KubeCon and Cloud-Native Con North America, Kubernetes security topics made up the largest percentage of overall sessions this year. The CNCF survey report in 2019 highlights security, cultural, and complexity challenges as the most significant issues facing Kubernetes adoption. It would seem that the community is looking for reasonable solutions to their Kubernetes security concerns.
StackRox took note of these issues early on in the development of our Kubernetes-native security platform. By recognizing that people and security go hand in hand, we created a platform that enables security and engineering teams to protect Kubernetes clusters. The usual implementation question remains: where do we implement security and configuration fixes? There has been a significant push to perform security checks as early as possible. The term “shift left” is often used to describe this movement of empowering developers to implement security controls and checks. However, this does not solve the issue of complexity and cultural challenges. With “shift-left”, we require our developers to understand the application, Kubernetes, security considerations, and more. This overhead cuts against the goal of using cloud-native technologies to empower developers to release software more quickly.
What is KubeLinter?
KubeLinter is an open-source static analysis tool to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate security checks of Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. The security checks validate that a Kubernetes cluster configuration follows security best practices. With standard built-in checks, developers and teams can get immediate feedback about misconfigurations and violations of Kubernetes policies. This enhances developer productivity, integrating security-as-code with DevOps and DevSecOps processes while ensuring the automatic enforcement of hardened security policies for Kubernetes applications.
What does KubeLinter do?
KubeLinter analyzes YAML files and Helm charts and runs Kubernetes-native security checks to identify elevated access, misconfigurations, and general best practice violations. KubeLinter is a Go-based binary used on the command line or part of a CI pipeline and gives developers the necessary security checks before allowing any Kubernetes configuration changes. There are currently 19 security checks that come built into the CLI. Some examples include:
- Using the default-service-account
- Mismatching selectors
- Running a container as root
- Setting a writable host mount
KubeLinter’s defaults are security-centric, so users will have to explicitly opt in to configure Kubernetes in an insecure manner. The built-in checks provided by KubeLinter can be extended to include custom checks for many Kubernetes configuration parameters. Individual checks can be enabled or disabled as well, with annotations giving the ability to pass single specific configuration checks. As an open-source tool available under the Apache 2.0 license, users can also contribute to the project by extending KubeLinter with additional checks.
What Makes KubeLinter Different?
KubeLinter’s focus on being a Kubernetes-native tool leads to the following advantages:
- Easy to learn
- Ease of implementation
- Additional functionality solely focused on Kubernetes
- Pre-configured security and misconfiguration checks
- Go-based CLI similar to kubectl
- A community-based tool that grows with your needs
KubeLinter go-based CLI architecture allows it to be easily installed in existing pipelines or used on the command-line. It uses a similar package and CLI architecture as kubectl, leading to little knowledge required to test and use it. KubeLinter policies can be enabled or disabled, and the checks can be ignored with annotations. KubeLinter gives immediate feedback about how to rectify a misconfiguration or security issue. This approach to security means reasonable checks with little to no workflow changes. KubeLinter means declarative security and Kubernetes-focused security rules that can be easily accessed and viewed.
How to Learn More?
KubeLinter’s success will rely on the community. As Kubernetes continues to grow, StackRox views KubeLinter as a security enablement tool that simplifies security and makes the day-to-day usage of Kubernetes by community end users safer and more secure.
- To download and get started with KubeLinter, visit the KubeLinter GitHub
- For more documentation about KubeLinter, head to docs.kubelinter.io
Watch the lead developer Viswa Venugopal talk about KubeLinter basics
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit