In the last 5 years, Kubernetes has gone from a technology for hip startups and tech wizards to a mainstay of the technology industry. A 2021 survey by the Cloud Native Computing Foundation (CNCF) shows that 96% of businesses of all sizes were either running or evaluating Kubernetes.
Despite that wide adoption, Kubernetes security lags far behind. According to Red Hat’s 2021 State of Kubernetes Security report, more than 60% of organizations said their security strategy was basic, in the planning stages, or even non-existent.
The same survey shows that a whopping 94% of respondents experienced a Kubernetes security incident in the previous year. Clearly, these early-stage security strategies are ineffective. The resulting breaches destroy customer trust and slow or stall Kubernetes initiatives.
What was the overwhelming cause of all those breaches? 59% were plain old misconfigurations. It’s baffling: With the wide variety of security tools available to cluster administrators, how are we still missing simple misconfigurations?
Current Kubernetes security approaches are insufficient; they’re either hyper-focused on one portion of the cluster or they only work within a single phase of the Kubernetes software development lifecycle. These specialized solutions fail to secure the complete cluster and almost always ignore the underlying systems and clouds where the cluster runs. This approach leaves many attack vectors unprotected.
At Mondoo, we understand the need for comprehensive security assessments that scrutinize each layer of the Kubernetes stack and every phase of the Kubernetes software development lifecycle. This week, in response to that need, we’re launching our Mondoo end-to-end Kubernetes security solution.
What exactly is end-to-end Kubernetes security?
Every change to your Kubernetes cluster, from a simple configuration update to a new application deployment, has a lifecycle. Developers and operations teams build container images and craft Kubernetes manifests. These updates are tested and then deployed to production, where they run for minutes, days, months, or years. This continuous process of building, testing, deploying, and maintaining changes long-term is the Kubernetes software development lifecycle (SDLC).
End-to-end security applies secure principles at each phase of the SDLC. It detects security issues as early as possible, saving precious time, resources, and cost.
Development
Each change to your Kubernetes cluster, from the most trivial configuration tweak to the largest product launch, starts with building new container images and Kubernetes manifests. This development phase is the best place to apply security best practices; you want to catch security issues before they make their way to staging environments or block production deployments. With Mondoo, you can continuously evaluate the security of new changes on local workstations using the same policies your business applies to production systems.
For example, during development you can confirm that:
- All security patches have been applied to the container
- SSH is not installed on the container
- There are no privileged containers
- Kubernetes service accounts are properly configured
In this scan, Mondoo checks docker container images for system hardening and CVEs:
In this scan, Mondoo checks Kubernetes manifests for common misconfigurations:
Test
Once local development is complete and changes are ready to share with the larger team, you want to make sure each change meets your business security policy. This means scanning each change within CI platforms.
Mondoo CI/CD brings security scanning to each proposed change with CI integrations and a new UI for GitHub Actions and GitLab (with more CI platforms to come). The Mondoo CI/CD view lets you see each project your team is working on and the latest Mondoo security scans in those project repositories.
Confirm the security of each branch and proposed merge request before changes are ever promoted. Even better, there's no repository setup necessary to show security scans in the Mondoo platform. You simply add Mondoo scanning to your repository and projects automatically display in the Mondoo CI/CD view.
Enabling security scanning within your CI pipelines is even easier with our new Mondoo GitHub Action: you can assess the security of Terraform configuration files, Kubernetes manifests, Docker images, and Dockerfiles. Apply the GitHub Action and set just a few variables to get started with security reporting in your CI pipelines.
Deployment
In a perfect world, you’d only promote changes to production through perfect CI/CD pipelines. However, sometimes changes happen outside of the process. You still need to ensure the security of those changes.
With the new Mondoo Kubernetes admission controller, you can scan each and every change that enters a Kubernetes cluster. Scan and report changes entering through approved pipelines as well as emergency kubectl changes. For auditing purposes, you can even view a historical record of the changes made to your cluster.
Maintenance
Every DevOps team knows that deploying changes to production is just the start. Some teams deploy daily, others weekly, and others quarterly. Some running applications no longer receive updates. No matter how long a change has been in production, you still need to make sure the running applications are secure. Mondoo’s new Kubernetes operator provides continuous scanning of deployments so you can ensure that the secure application you deploy today will remain secure tomorrow.
Security goes far beyond just the workloads on the cluster. You need to make sure that your cluster configuration, cluster nodes, and the cloud infrastructure the cluster runs on are secure.
Layers of Kubernetes security:
|
Kubernetes Workloads |
|
Kubernetes Cluster Configuration |
|
Kubernetes Node Security |
|
Cloud Infrastructure Security |
Unlike hyper-focused Kubernetes security tools, Mondoo offers complete cluster security from the cloud account all the way to the workload. Mondoo continuously scans your complete infrastructure to ensure that it complies with your organization's policies and best practices.
Stay tuned for detailed articles that show how you can apply security best practices to each phase of the Kubernetes SDLC. If you have any questions or just want to chat about security, join the Mondoo Community Slack channel.
