Addressing Kubernetes Security Vulnerabilities with Policy Enforcement
Securing Kubernetes is a big topic and one that is being addressed by a number of vendors. One of the challenges we see around security is not simply vulnerabilities, but enforcing the policy to protect against vulnerabilities and other security issues. Problems can arise from misconfigurations in containers or the underlying Kubernetes infrastructure.
Consider just a few of the security challenges we see and why Kubernetes policy enforcement is needed.
Seventy-eight percent of companies according to DZone now run part or all of their operations on OSS (up from to 42% in 2010). And the Kubernetes community, built on an open source project, is most certainly higher. The problem is that known vulnerabilities (CVEs) in these open source tools may be inadvertently injected into an application or container.
Engineering teams need the ability to scan containers to identify CVEs and/or OSS components/versions that have known vulnerabilities. Developers then need to upgrade or patch these components to address the vulnerabilities.
If there is a known vulnerability, it’s important to establish policies to protect against these. However, the enforcement is where many teams fall down. How do you ensure all container policies in a dynamic, ever-changing environment are applied? Using policy-driven configuration validation can help identify where there are misconfigurations that could expose a CVE.
Likewise, vulnerabilities in the underlying Kubernetes cluster and add-ons may exist. The infrastructure needs to be constantly scanned and monitored for new vulnerabilities and patched as necessary to fix problems.
A common attack vector used by hackers is to exploit users or services that have access to system resources beyond what they actually need, e.g., taking advantage of privilege escalation, “root” access, etc. Role Based Access Controls (RBAC) can enforce the concept of least privilege, i.e., only giving access to the resources that are needed by the user or service and not anything more. However knowing if a Kubernetes deployment has been over-permissioned with root access requires teams responsible for security to manually go through each pod to check for misconfigured deployments. This process benefits from automated checks throughout the entire lifecycle of development to ensure the right privileges are granted.
As application services communicate with other resources internally or externally outside of the application, appropriate safeguards must also be put in place to manage inbound and outbound communication. Policies determine what data is allowed to go where and what services are allowed to communicate with one another. Similar to RBAC, the best practice is to establish a “zero trust model” for networking and permissions that enables communication to happen only where it is needed. These policies must be applied. Policy-as-code is the best option within Kubernetes, but the challenge that presents itself is how to check that the policy has been applied to every cluster. Again, this is a time consuming and error-prone process without automation.
SSL certificates are used for encrypting network traffic to safeguard data as it’s transmitted. These certificates need to be rotated/updated/managed to ensure that data is being encrypted properly.
In Kubernetes, cert-manager runs within a cluster as a series of deployment resources. It utilizes
CustomResourceDefinitions to configure Certificate Authorities and request certificates. This customization should be checked against policies to ensure that
CustomResource has all the right security checks from privileges to capabilities and more.
Kubernetes Policy Enforcement
To address the challenges around policy-enforcement in Kubernetes, we have developed Fairwinds Insights. Built upon our open source tooling including Polaris, Fairwinds Insights is a policy-driven Kubernetes configuration validation platform. It ensures that throughout the entire development lifecycle, containers and pods are checked against security policy and other best practices. That means users don’t accidentally expose a cluster to a CVE, privileges are inline with policy and the entire environment adheres to policy. Not only does Fairwinds Insights use Kubernetes policy enforcement to improve security, it also offers users efficiency and reliability benefits so that clusters scale properly to avoid downtime and costs are kept in control.