alcide

Alcide Blog

Cloud-native Security Provider

Securing Kubernetes Deployments From Runway To Take-off

Sep 24, 2020 8:38:51 AM / by Rachel Cheyfitz

Kubernetes use is rising rapidly: 58% more respondents than last year - 78% of this years’ respondents - reported in the 2019 CNCF (Cloud Native Computing Foundation) survey that they use Kubernetes today. With numbers like those, it looks like everyone is headed towards the cloud.

But, just as for any journey, you want to make sure your ride starts smoothly and stays smooth, which means you need to plan, prepare, and regularly monitor.

Think about how an airplane journey really operates. During security checks, you verify that whoever is asking to enter the more secured areas is allowed to, and you check their baggage and carry-ons to make sure only approved items enter the secure zones. Once afforded entry, you continue to track and monitor with cameras, tags, special authorizations and the like - only staff are allowed in the most sensitive areas, while some VIP passengers have special services available only to them and passengers can only move around in the public areas.


In short, different groups are allowed to do different things. During this time, the ground staff are making sure the airplane is in order and flight staff in the tower are making sure monitoring and controls are working. Once in flight, you’re pretty confident that everything will go smoothly - but the control tower monitors and communicates with the pilot and crew for the duration of the flight to stay on top of things and act fast in case of emergency.

Kubernetes is really the same all in all. But for Kubernetes, sometimes it can be hard to fulfill these requirements. Misconfigurations and security are still a primary concern for Kubernetes deployments. Compliance with different regulations and industries is a huge challenge. Additionally, K8s experts are scarce, and gaining enough visibility and control over a big deployment without that expertise can be nearly impossible.

Implementing some best practices and important security guardrails as early as possible and for the long run will ensure that you’re at least one step closer to a calmer deployment experience.


 


To understand better, we can break things down into these parts:

  • Check-in and preliminary security screening: planning and configuring your deployment
  • Pre-flight:monitoring security areas prior to takeoff
  • In-flight: runtime monitoring

Let’s take a closer look at each one of these parts in more detail:

Check-in and Preliminary Security Screening

At any airport, you will always be welcomed by staff who know what they’re doing. This is because they’ve been trained, and they’ve been involved in the preparation process. Similarly, once you’ve planned your microservices architecture, it’s time to get your DevOps involved.
It’s important to educate these teams on security issues. Document and explain how they should participate in security efforts, and on what they can do while working in order to keep your organization safe from data breaches. Know the risks related to Kubernetes deployments and be prepared before going live. Make sure everyone involved is aware of your security policy, accounting for new zero-day vulnerabilities and exploits, compliance breaches and more.

Remember: whether a company finds and fixes the mistake themselves, or leaves it for a hacker to find and exploit, can mean the difference between a company’s success and failure.


Managing the configuration and deployment strategy of your Kubernetes services is like the security checks performed before allowing airplane crew and passengers to pass the gate to highly secured areas and to the boarding area. This is when you check luggage, personal items, interview passengers about where they've come from, check their tickets and the like.

The Kubernetes vulnerability scanner helps perform checks early on in the development process by covering rich Kubernetes and Istio security best practices as well compliance checks such as (but certainly not limited to!):

  • Kubernetes vulnerability scanning
  • Hunting misplaced secrets
  • Excessive secret access
  • Workload hardening from pod security to network policies
  • Istio configuration and best practices
  • Ingress controllers for best practices
  • Kubernetes API server access privileges
  • Kubernetes operator best practices

You should push planning and security as far left as possible; by getting started early, you can make sure risks are flagged and removed before deployment, and that only an authorized deployment configuration is allowed into the production environment. This will surely save money in time invested and more importantly, better protect your data and intellectual property.

Read more about shifting left on our blog.

Monitoring Restricted Areas

After the preliminary security checks, passengers and crew are allowed into more restricted areas. Just because your passengers have been allowed to enter the boarding area in general though, does not mean they’ve been authorized to enter the entire airport. To make sure there are no breaches, everyone must still be monitored and areas must be kept secure. Some are only allowed in the general public areas and to board the flights on which they’re scheduled; others can access VIP services, while some employees are allowed in different parts of the secure areas - different offices versus the runway for example are restricted to different employees.

In the same way, you should ensure Kubernetes administrative traffic through your deployments (from your control plane) is authorized and that you can easily identify anomalous behaviors and suspicious activity patterns.


K8s audit logs are your source of truth for coping with malicious activity. But dealing with audit logs can feel like looking for a needle in a haystack. Real-time forensics and analysis automation of Kubernetes audit logs enable early detection and reduce a lot of noise in the battle of audit logs.

Alcide kAudit analyzes your Kubernetes logs, identifying abnormal API and administrative activity and compromised k8s resources. Results are then displayed clearly from the advanced dashboard. This enables deep data-based investigation, helping you identify problems and take action immediately without having to sift through raw logs on your own. Read more about automated analysis here.

Schedule and Monitor Throughout the Flight

No less important than the configurations and preparations before takeoff are the ongoing monitoring and scheduling while in-flight. One of the best defenses against attacks and unexpected activity is to continue watching the screens for odd objects in the skies, maintaining contact with the control tower, and continuing to separate individuals on the flight based on access rights (only pilots and the head attendant can access the cockpit, only staff and authorized travellers can access first class areas, etc.).

Implementing guardrails during development is critical, but never replaces ongoing monitoring at runtime. During production, there are a lot of things you need to be on the lookout for. As a “gatekeeper”, your admission controllers validate and prevent risky and vulnerable deployments. Check out this blog post for more information about admission controllers.



While the Kubernetes and service mesh layers offer fundamental security, there are still many aspects that you should automate in order to ensure maximum ongoing protection. The Alcide Runtime modules protect the Kubernetes container network with ongoing monitoring and continuous auditing of your deployment to detect and mitigate vulnerabilities and reduce risks. This is by leveraging machine learning threat detection engines to pinpoint suspicious network activity, and to detect unauthorized activity and processes. The Runtime modules also helps you deploy and maintain the principle of least privilege with a microservices firewall and offers granular policies down to the pod.

Get a Unified Automated Solution with Alcide

Managing so many requirements and tasks can be cumbersome. Getting your developers and DevOps on board and collaborating from early in development can sometimes feel like a fantasy. And sifting through audit logs, tracking real time activity and handling threats can be daunting - maybe even nearly impossible. In fact, according to the second edition of the State of the Kubernetes Ecosystem from New Stack, more than 40% of companies with Kubernetes deployments claim that “culture change and security continue to be challenging.” It’s enough to drive you mad - without a little help.


 The CI/CD pipeline covered by Alcide and its security modules


By implementing the right tools, organizations enable and empower DevOps to collaborate with security teams early in the development cycle — with an emphasis on the word “collaborate”. Alcide helps security professionals truly connect with their development and operations colleagues to pool knowledge, share resources, and generally team up.

Learn more about the modules we offer and try Alcide Advisor now - it’s free forever!

 

 

 

Topics: kubernetes, Kubernetes security, Advisor, Runtime, sKan, kaudit

Subscribe to Email Updates