Tools and aspects of Kubernetes Security

12 Sep Tools and aspects of Kubernetes Security

Security of containers and it’s orchestrator Kubernetes is a huge topic, and there are many dimensions to the problem. Given that there are different aspects, there is no one vendor that provides a comprehensive solution, but one can put together a stack of 2-3 vendors for a comprehensive security solution. Who’s who along with where do they fit the solution are discussed below.

Image Scanning:
Running a compromised image can compromise the cluster, so it is necessary to secure images that run on a cluster. This means that one needs to build a container image based on a secure base image, and make sure that the registry/artifactory that stores these images are secure enough. https://cve.mitre.org/ provides a database of CVE’s that is used to scan against images to detect any vulnerabilities. Aquasec, Twistlock, Stackrox, Sysdig secure are players in this area.

Run time Security:
Runtime security deals with issues after the cluster is created and applications actually running as pods/containers. These include looking at aspects like; What kind of authorization does user and pods/containers have on resources ?What privileges such as host mode, privileged mode does pods/containers instantiated with?What kind of weakness can attackers hunt to go compromise?Are there any suspicious activity by users or by containers ?. Remediation of these requires fixing any of configuration, admission hooks, policies or looking at network traffic etc. Not all vendors support all aspects of runtime security but everyone has most aspects described. Aquasec, Stackrox, Sysdig secure are players in this area.

Network Security:
Network level security deals with network aspects of security (think ACL’s in traditional networking), firewall, IDS, IPS etc. Solutions focus on network policies, looking inside packets at Layer-3, Layer-4 or Layer-7 of TCP/IP stack to detect any attacks or anomalies. The players like Isovalent(Based on Open Source Cilium), Tigera(Based on Calico), Istio(opensource) etc look at this aspect of security.

Kubernetes Audit:
This aspect of security deals with audit of Kubernetes cluster against CIS Benchmark, audit against best practices such as containers running as root, running with QoS configuration, using default service account etc, audit against policies etc. Almost all vendors provide a certain form of audit report.

Others:
Grafeas provides a compliance report to validate if all the policies and security checks have been adhered to. Vault provides secured storage of passwords, secrets, certs, access credentials etc. Portieris checks for trusted images during admission control(onboarding of apps) on Kubernetes. Open Policy Agent(OPA) uniquely places itself to decouple itself from runtime and provides policy at different times in the pipeline. For example, one can deploy OPA during Kubernetes admission control.