Containers and Kubernetes come with new – or at least renewed – security considerations. They also catalyze teams to rethink their legacy security strategies, moving away from monolithic or waterfall-ish approaches where security doesn’t get invited to the party until right before it starts.
Some folks call this the “shift left” mindset, meaning you move security as close to the start of your software development lifecycle or CI/CD pipeline as possible, even if you do so gradually. The idea is to lean as heavily on automation as possible, detecting and remediating issues early and often, rather than waiting until there’s a fire to put out in production. (For more on CI/CD basics, check out this primer: What is CI/CD?)
The paired trends of containerization and orchestration can help with security and compliance as you make that shift.
“One of the biggest benefits of a platform like Kubernetes is that it enables significant automation of security and compliance, especially with respect to configurations,” says Wei Lien Dang, co-founder and chief strategy officer at Stackrox. “These automated processes and tools can help organizations better gauge the security posture and overall risk of their Kubernetes environments at any point.”
The shift-left mindset can even apply to security policy enforcement, which can in turn benefit compliance.
“Policy enforcement, too, can be applied at various checkpoints – in CI/CD pipelines, at deployment, or at runtime – based on specified requirements, leveraging the orchestrator itself for greater scalability and reliability,” Dang says.
[ Kubernetes terminology, demystified: Get our Kubernetes glossary cheat sheet for IT and business leaders. ]
How to automate compliance and security
Let’s examine three key paths toward increasing security and compliance automation with containerization and orchestration.
1. Be obsessive about configurations
It’s often wise to take a layered approach to container security itself. Automation is a key part of ensuring security and compliance here. Examples include automating security policies governing the use of container images stored in your private registry, as well as performing automated security testing as part of your build or continuous integration process. Check out a more detailed explanation of this approach in 10 layers of container security.
Kubernetes comes with a rich set of security-related features, such as role-based access control, namespaces, and other capabilities. But as we’ve discussed previously, you can’t typically lean on the default settings out of the gate.
“Kubernetes is a complex system with many configurations and options, some of which have security implications and might even create significant risk [if left in their default state],” says Rani Osnat, VP of strategy at Aqua Security.
Properly configuring these features is a foundation for automating security and compliance with containers and orchestration. (This is also an area where a commercial platform like Red Hat OpenShift, built on top of the open source project, can help.)
[ Read also: OpenShift and Kubernetes: What’s the difference? ]
“Security best practices can be automatically applied at multiple levels throughout Kubernetes – at a cluster level, namespace level, deployment/service level, pod level, et cetera,” Dang says.
You’ll find more expert advice on securing your container deployments with Kubernetes in Kubernetes deployments: 6 security best practices. And if you’re still learning the lingo – like the terms Dang just mentioned – check out this quick primer: What’s the difference between a pod, a cluster, and a container?
2. Automate as much detection and policy enforcement as possible
Just as you can take a more declarative, automated approach to operating infrastructure, you can do the same (or similar) with security. And as noted above, this is integral to container security and Kubernetes security.
“These environments are designed to be operated with declarative APIs that allow infrastructure to be configured securely as it is provisioned and applications to be configured securely as they are built and deployed,” Dang says.
That means the “managing X as code” approach can be extended to security, too.
“Enterprises seeking to automate Kubernetes compliance and security should also aim to leverage security-policy-as-code and behavioral learning [or machine learning] together whenever possible,” says Gary Duan, CTO at NeuVector.
This technical strategy helps support a “shift left” mindset to security. “Doing so helps introduce workload security policies early on in application development, which then protect environments all the way through production,” Duan says.
Duan shares a couple of examples of “must-do’s” from a security and compliance standpoint. The first is to automate vulnerability scanning at runtime.
“When automating Kubernetes compliance and security, you’ll want to execute vulnerability scanning at runtime that scans not just containers, but also the host and Kubernetes itself,” Duan says.
The second is automated networking segmentation. In fact, in some industries, regulatory compliance might require it, along with other security policies.
“With compliance reporting and management increasingly required for more and more organizations, automated network segmentation is necessary to comply with many of the major industry regulations,” Duan says. “For example, PCI DSS security standards governing payments processing call for segmentation and firewalling between traffic within and outside of the cardholder data environment.”
In Duan’s view, manually adjusting firewall rules in response to new or evolving threats is a non-starter in containerized environments. “For this reason, many regulations rightfully require runtime scanning and compliance checks to be automated,” Duan adds.
Kubernetes operators are another emerging tool for automating security needs. “The really cool thing is that you can use Kubernetes operators to manage Kubernetes itself – making it easier to deliver and automate secured deployments,” Red Hat security strategist Kirsten Newcomer recently explained to us. “For example, operators can manage drift, using the declarative nature of Kubernetes to reset and unsupported configuration changes.”
Read the full article for insights from Newcomer and other experts: Kubernetes security: New tech, familiar attack vectors.
3. Use benchmarks to test continuously – and automate that work, too
Even once your configurations are properly set, it’s important to remember that, by design, your containerized workloads and the infrastructure they run on aren’t static. These are dynamic environments, and you’ll need to treat security as a continuous practice.
“Compliance checks can be automated as well, to assess adherence to various benchmarks and industry standards,” Dang says.
From a security and compliance standpoint, one of the best-known standards for checking (and rechecking) your Kubernetes environment is the CIS Kubernetes Benchmark, a free checklist of around 200 settings and best practices for secure configuration.
That means it’s thorough. It also means regularly checking your dynamic environment against this list on an entirely manual basis could become a bear. Good news: There are tools that can automate that work.
Aqua makes kube-bench, for example, a free open source tool that automatically checks your environment against the CIS Kubernetes Benchmark. (Similarly, so do other Red Hat OpenShift partners. Today, Red Hat OpenShift Container Platform 4 meets the majority of the CIS guidance by default. Some items are intentionally left optional for the user.)
“Using it [kube-bench] allows organizations to constantly check their security posture and ensure that their cluster hasn’t drifted out of compliance,” Osnat says.
Neuvector also offers a set of scripts – also free and open source – for automatically checking Kubernetes installations against best practices.
Let’s keep the open source train rolling: Aqua also oversees kube-hunter, which simulates attacks (based on known vulnerabilities) on your cluster.
“If the CIS Benchmark looks at individual settings and their impact on overall security posture, kube-hunter takes a complementary approach by pen-testing your cluster against dozens of known attack vectors,” Osnat says. “It literally tries to attack your cluster, and using it ensures that your cluster isn’t susceptible to known attacks. It offers remediation advice on which setting to change in order to close the security gaps discovered.”
Finally, there’s a newer addition to the open source menu: Starboard, also from Aqua, is essentially a security toolkit for Kubernetes installation.
“It integrates a variety of tools into the K8s experience, including vulnerability scanners, workload auditors, and benchmark tests,” Osnat says. “It does so by using K8s CRDs (custom resource definitions) and from there, it can be accessed using the Kubernetes API. Users familiar with kubectl (K8s’ native CLI) can then easily find security information at their fingertips, and program further automation.”
[ Want to learn more? Get the free eBooks: Getting Started with Kubernetes and O'Reilly: Kubernetes Operators: Automating the Container Orchestration Platform. ]