Why Kubernetes deployment needs a security first mindset [Q&A]
Kubernetes has been at the forefront of container deployment, allowing the automation of development, scaling and management, and supported on a wide range of public cloud platforms.
But as with any cloud deployment there are potential risks from mis-configuration, poorly managed access privileges and more. It's important therefore that when deploying Kubernetes security is given top priority.
We spoke to Matt Bates, chief technology officer and co-founder of Jetstack, to find out more.
BN: What is the current state of Kubernetes maturity?
MB: Kubernetes has rapidly increased in popularity in the UK over the past year and many companies are now using it at scale. According to CNCF data from 2020, 78 percent of organizations are using Kubernetes for projects in production. It is now the de facto standard for container orchestration, the technology is offered across all major cloud platforms today, with a vast and growing ecosystem driving productivity, cost, operational and many other benefits for end users. But as with most technologies, its growing popularity has also led to increased scrutiny from threat actors.
BN: Why is Kubernetes seeing such rapid adoption?
MB: Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services that facilitates both declarative configuration and automation. Containers provide a powerful tool for addressing several critical application concerns, including the need for faster delivery, agility, portability, modernization, and lifecycle management. According to Gartner, it's predicted that 75 percent of large enterprises will have adopted containers by 2024 because of these advantages.
With Kubernetes, multiple areas of the business benefit. Operations teams like the improved resource utilization, while developers love shorter software development lifecycles. For finance and business, leaders there are reduced public cloud costs and better support for strategically critical digital transformation initiatives. Perhaps most crucially from a technology standpoint, Kubernetes is a highly efficient way to maintain core infrastructure which is great for development teams as they can focus application innovation while relying on automation to, manage machine identities and other pre-defined security policies.
BN: How has the adoption of Kubernetes changed the threat landscape?
MB: As Kubernetes deployments increase, attacks do too. Containers enable speed, portability, and the ability to take advantage of microservices architectures. However, they can also create security blind spots and increase the attack surface. As more containers are deployed, maintaining visibility into an enterprises' cloud-native infrastructure components becomes more difficult. The distributed nature of containerized applications makes it a challenge to investigate which containers may have vulnerabilities, be misconfigured, or pose a risk to an organization. A study revealed that adversaries could detect a new misconfigured container within an average of five hours -- the fastest within a few minutes and the longest at 24 hours. The implication is clear that once a container is set up, it must be secured as soon as possible, or it will be too late and it’s likely the container will already be compromised.
Keys and certificates, which serve as machine identities, provide a foundational layer of security and trust for Kubernetes environments, and across the IT and cloud ecosystem. By securing machine-to-machine communications, organizations can mitigate serious attempts to compromise containers, spread malware and steal information. Managing these identities is becoming increasingly complex because of the highly distributed and dynamic nature of Kubernetes environments. Adopting Kubernetes applications, means they take advantage of various open-source modules.
Platform teams must ensure that they continue to do regular Kubernetes version updates on an ongoing, continuous basis. If regular updates are not completed, the infrastructure can become vulnerable to exploitation by cyber actors who can focus their attacks to gain access rights for user data and applications residing inside clusters.
BN: What complications are organizations facing when trying to get the most from Kubernetes?
MB: As with any infrastructure system, Kubernetes is not without its problems. For an enterprise actively deploying Kubernetes it can take time to understand and get it right. The rise of cloud-native architectures has resulted in highly dynamic environments where change is the only constant. As the volume and velocity of innovation increase, there is an exponential rise in the level of workloads as development activity scales upwards. This speed of workload deployment means containers are constantly spun up and down in a matter of seconds. However, each needs to be given an identity, typically using a digitally signed certificate, which must be managed throughout its lifecycle -- even if that certificate lifecycle is no more than a few minutes. This need to manage high volume; ephemeral identities can create complexity and risk. Enterprises are struggling to issue and manage these identities at cloud speed and scale. The result is a new type of security vulnerability which risks application outages due to the lack of effective management of machine identities. Tacking this particular risk is becoming a huge business need, especially if the infrastructure is scaling fast. The key to success will be driving education and awareness of security best practices and enforcing machine identity visibility as a vital part of enterprise security posture for platform teams.
BN: Where do companies need help to build cloud-native projects?
MB: Since the beginning of Kubernetes adoption, we at Jetstack have been directly supporting businesses to use Kubernetes, from creating technical Proof of Concepts for evaluation, to more mature production-ready environments to underpin an enterprise's need to scale. There isn't a one-size-fits-all approach to Kubernetes adoption. We enable enterprises to manage their machine identities across cloud-native Kubernetes and Openshift environments. This gives them support to build a personalized, detailed view of their overall enterprise security posture.
Jetstack Secure also extends the capabilities of cert-manager, which is an open-source project invented by Jetstack that has become hugely popular. Cert-manager simplifies the issuing of machine identities within cloud native environments by automating the management and issuance of TLS certificates from various certificate authorities.
With these tools and services, enterprises adopting Kubernetes can empower their teams of developers to deploy quickly and securely. As enterprises grow and scale their infrastructure and the number of clusters increase, developers need high levels of consistency. Automation goes a long way to deliver this consistency but ignoring the challenges that come from real-time management of their machine identities will undermine the developer process and leave the infrastructure open to attack. Most enterprises will already be seeing a surge in the use of both private and public certificates and it’s important to ensure full workload security for both web-facing and pod-to-pod traffic.
BN: What impact has the COVID-19 pandemic had on Kubernetes and machine identities?
MB: During the pandemic, 97 percent of organizations have accelerated their digital initiatives, in most cases to adapt to the sudden nationwide shift to remote working. To ensure that employees and security teams can continue to collaborate in their dispersed locations, employers are using a host of new technologies including mobile devices, IoT products, and containers. All of which means there are even more machines communicating with one another, and in turn, more machines that need to ensure they’re secure in their communications using machine identities. As organizations have innovated quickly to keep up with the shift of hybrid working, many teams have turned to DevOps to meet their digital goals faster. However, security teams have not always kept up. As a result, new security risks have been introduced and security teams have overlooked automating their machine identities and regularly monitoring them to keep them safe.