Open in app

Sign in

Write

Sign in

How Kubernetes Advances DevSecOps

Nipuna Dilhara
6 min readFeb 22, 2020

First of all, let’s break down the topic.

There are two main keywords: Kubernetes and DevSecOps.

I assume that you have the basic idea of what is Kubernetes and how it works. If you haven’t, this is the Wikipedia introduction for Kubernetes:

Kubernetes (commonly stylized as k8s) is an open-source container orchestration system for automating application deployment, scaling, and management [1].

Explaining the Kubernetes is a topic for another post. So let’s move forward.

Then what is DevSecOps?

It is the short term for Development, Security and Operations. If you are an IT guy or even remotely related to IT, then you should have heard about DevOps at least once in your life. How DevSecOps different from DevOps? Is it just bringing security into DevOps pipelines? Since it is not a familiar term, let’s talk more about it.

One major obstacle in the application deployment process is to maintain the balance between:

  • Speed of delivery
  • Security of the code

When we focus on one of these, the other one tends to go downwards. This makes these two facts as opposing goals. What DevSecOps simply does is efficiently align these two goals so that the security testings and improvements are done on the application code without slowing down the delivery cycles.

So how were the things done in good old days?

In earlier days, ensuring the security was given to a specific team during the final stage of development. This can negatively considerably affect on DevOps efficiency.

That is how DevSecOps comes into the image.

What DevSecOps simply means is focusing on application security from the start while maintaining the rapid and frequent development cycles of DevOps. In other terms, rather than considering the application security as a separate layer, it has been integrated into the end to end the DevOps cycle. The DevOps applications are often lacking in terms of security. This has overcome by DevSecOps by gathering the development, operational and security aspects under one umbrella.

So how these concepts related to the topic? Without further ado:

Let’s see how DevSecOps works in Kubernetes.

Since the container-based application deployment has become the new trend, almost all companies who wants to grab the benefit of these new technologies started to adapt to them. Nowadays the container-based application deployment at its heap and container orchestration platforms has become an essential part of DevOps.

When hearing the term ‘container orchestration platforms’ what comes to your mind first? It is Kubernetes for sure.

A Kubernetes cluster generally consists of nodes. Each node consists of one or more pods. Each pod consists of one or more containers. Simple as that huh?

So what these containers consist of? They host the containerized application images. Hence the deployed application security means the security of these container images.

The focus on container-based application security should be escalated more than ever due to how things work around them. There are main risks involved with these applications such as:

  • Clear-text secrets
  • Embedded malware
  • Insecure software or libraries
  • Bugs
  • Outdated images and
  • Use of untrusted images

So how can we strengthen the Kubernetes security?

1. By reducing the Kubernetes attack surface

2. By utilizing inbuilt Kubernetes platform security features

3. By using open source tools for Kubernetes security

Let’s see each of the above one by one.

1. Reducing the Kubernetes attack surface

A Kubernetes cluster might be hosting hundreds of containers inside it. Larger the cluster gets, larger become possibilities for security vulnerabilities. Due to the complexity of Kubernetes architecture and the volume of containers hosted by it, the attack surface that a malicious attacker can utilize it quite massive.

How can we limit access to these potential vulnerabilities?

One possible approach is to minimize the privileges to applications running on the Kubernetes cluster. This will make sure that only authorized users are granted the ability to perform actions on applications running in the cluster. Hence it decreases the chances for an attacker to launch any malicious attack on the cluster applications.

Also, it would be better to use the base image always when building containers.

Another highly recommended approach is to secure all the connections relevant to the Kubernetes cluster using SSL/TLS so it makes almost impossible to launch Man in the Middle attacks and compromise other vulnerabilities.

Even though with all these precautions, it would be better to:

  • Check for vulnerabilities periodically
  • Review audit logs
  • Review network policies and pod security policies
  • Review Kubernetes secrets

How can we perform all these security checks? Let’s talk about it in the 2nd point about strengthening Kubernetes’ security.

2. Utilizing inbuilt Kubernetes platform security features

Here are some facilities provided by Kubernetes to heighten the security level.

  • Authentication and Authorization

In Kubernetes, you must be authenticated (logged in) before your request can be authorized (granted permission to access). Kubernetes authorizes API requests using the API server. It evaluates all of the request attributes against all policies and allows or denies the request.

  • Audit logging

These logs should be reviewed regularly to identify any breakthroughs.

  • Network policies

Here you can configure which pods are allowed to talk with which pods. By default, all pods can talk to each other. The cluster can be more secured by customizing these policies

  • Pos security

Only allow admins to control specific actions on the Pods.

  • Kubernetes secrets

Can be used to store sensitive data.

Other than these inbuilt features, Kubernetes has been privileged with other open-source tools that are intended for Kubernetes security.

3. Open-source tools for Kubernetes security

  • TUF

The TUF stands for ‘The Update Framework’. The TUF can be used for secure software updates which are based on the ideas relevant to trust and integrity.

  • Notary

Similarly to the TUF, Notary is also a tool for secure software updates and distributions.

  • Clair

This is a nice tool that can be used for static analyses of vulnerabilities in containers.

  • Kube-bench

This tool helps to ensure whether a Kubernetes cluster is deployed according to security best practices.

  • Kubesec

The Kubesec helps to quantify risks for Kubernetes resources.

  • Kubeaudit

The Kubeaudit can be used to audit applications in the Kubernetes cluster as the name implies.

Well, I feel like that is a lot of information.

I suppose that the provided details are enough to get a clearer understanding of how Kubernetes supports DevSecOps. If you have any doubts or need to know more details please feel free to leave a comment. I will google it and provide you with the answer ;).

See you soon with another post.

[1] https://en.wikipedia.org/wiki/Kubernetes

[2] https://www.redhat.com/en/topics/devops/what-is-devsecops

[3] https://blog.sonatype.com/kubesecops-kubernetes-security-practices-you-should-follow

Kubernetes
DevOps
Devsecops
Security
Container Orchestration

--

--

Nipuna Dilhara

Written by Nipuna Dilhara

155 Followers

Software Engineer @WSO2

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams