Kubernetes Vulnerability Management: Keep Third-party Images Up-to-Date
Written By: Joe Pelletier
The Kubernetes ecosystem is built on a vast array of open source technologies. Kubernetes itself is one of the largest open source projects, and a community of tools and cluster add-ons have grown exponentially around the project to extend functionality and support a variety of mission-critical use cases.
It’s very common for a Kubernetes cluster to have a dozen or more third-party add-ons running critical infrastructure services, such as ingress, DNS, certificate management, RBAC, and more. While these add-ons tend to be powerful and well-maintained, they also introduce vulnerabilities that are important to monitor. (At its core, add-ons are really just container images, and these images can have libraries and dependencies with known vulnerabilities).
Last week the Fairwinds team was at KubeCon EU to discuss this amongst other security, cost and Kubernetes guardrail issues we help companies solve. We’ve announced updates to our platform, Fairwinds Insights, that helps unify DevSecOps with additional shift-left security enhancements. Included within the news is new functionality offering third-party image upgrade recommendations.
Third-Party Container Risk
The problem scope is fairly wide. Fairwinds’ Kubernetes Configuration Benchmark Report cites a third (33%) of organizations have at least half of their workloads running with outdated Helm charts, and 60% have images with vulnerabilities in production. Helm charts are a common way to deploy add-ons, and outdated Helm charts can carry unpatched vulnerabilities.
So, when using third-party add-ons or container images, what can you reasonably do to better secure your clusters? Since you do not maintain these projects, upgrading your add-ons and container images tends to be the best way to reduce the number of vulnerabilities you may be exposed to. Third-party add-ons that are well maintained may push security patches on a regular basis, so incorporating those into your Kubernetes infrastructure is key.
To make this easy, Fairwinds has added functionality to recommend upgrade paths for third-party images scanned by our Kubernetes governance platform. Fairwinds Insights will look into the image repository, identify newer tags available for that container image, and recommend a version to upgrade to with fewer vulnerabilities than what is currently running in the cluster.
This capability provides DevOps and security engineers with enormous time savings. Before this feature, engineers would need to identify their riskiest containers, manually check image repos to see if there is a newer version, manually scan the newest version to understand the vulnerability posture, and then make a determination if the image should be upgraded.
Fairwinds Insights accelerates time-to-fix by automating all of this work, giving engineers a straightforward recommendation that includes the tag to upgrade to-and the number of vulnerabilities reduced (as well as the highest severity vulnerability).
Ensure your organization gets continuous scanning and runtime monitoring of your Kubernetes environment — sign up to start your Fairwinds Insights trial.