Cloud native security for your clusters
Author: Pushkar Joglekar
Over the last few years a small, security focused community has been working diligently to deepen our understanding of security, given the evolving cloud native infrastructure and corresponding iterative deployment practices. To enable sharing of this knowledge with the rest of the community, members of CNCF SIG Security (a group which reports into CNCF TOC and who are friends with Kubernetes SIG Security) led by Emily Fox, collaborated on a whitepaper outlining holistic cloud native security concerns and best practices. After over 1200 comments, changes, and discussions from 35 members across the world, we are proud to share cloud native security whitepaper v1.0 that serves as essential reading for security leadership in enterprises, financial and healthcare industries, academia, government, and non-profit organizations.
The paper attempts to not focus on any specific cloud native project. Instead, the intent is to model and inject security into four logical phases of cloud native application lifecycle: Develop, Distribute, Deploy, and Runtime.
Kubernetes native security controls
When using Kubernetes as a workload orchestrator, some of the security controls this version of the whitepaper recommends are:
- Pod Security Policies: Implement a single source of truth for “least privilege” workloads across the entire cluster
- Resource requests and limits: Apply requests (soft constraint) and limits (hard constraint) for shared resources such as memory and CPU
- Audit log analysis: Enable Kubernetes API auditing and filtering for security relevant events
- Control plane authentication and certificate root of trust: Enable mutual TLS authentication with a trusted CA for communication within the cluster
- Secrets management: Integrate with a built-in or external secrets store
Cloud native complementary security controls
Kubernetes has direct involvement in the deploy phase and to a lesser extent in the runtime phase. Ensuring the artifacts are securely developed and distributed is necessary for, enabling workloads in Kubernetes to run “secure by default”. Throughout all phases of the Cloud native application life cycle, several complementary security controls exist for Kubernetes orchestrated workloads, which includes but are not limited to:
- Image signing and verification
- Image vulnerability scanners
- Pre-deployment checks for detecting excessive privileges
- Enabling observability and logging
- Using a service mesh for workload authentication and authorization
- Enforcing “default deny” network policies for inter-workload communication via network plugins
- Deploying security monitoring agents for workloads
- Isolating applications that run on the same node using SELinux, AppArmor, etc.
- Scanning configuration against recognized secure baselines for node, workload and orchestrator
Understand first, secure next
The cloud native way, including containers, provides great security benefits for its users: immutability, modularity, faster upgrades and consistent state across the environment. Realizing this fundamental change in “the way things are done”, motivates us to look at security with a cloud native lens. One of the things that was evident for all the authors of the paper was the fact that it’s tough to make smarter decisions on how and what to secure in a cloud native ecosystem if you do not understand the tools, patterns, and frameworks at hand (in addition to knowing your own critical assets). Hence, for all the security practitioners out there who want to be partners rather than a gatekeeper for your friends in Operations, Product Development, and Compliance, let’s make an attempt to learn more so we can secure better.
We recommend following this 7 step R.U.N.T.I.M.E. path to get started on cloud native security:
- Read the paper and any linked material in it
- Understand challenges and constraints for your environment
- Note the content and controls that apply to your environment
- Talk about your observations with your peers
- Involve your leadership and ask for help
- Make a risk profile based on existing and missing security controls
- Expend time, money, and resources that improve security posture and reduce risk where appropriate.
Huge shout out to Emily Fox, Tim Bannister (The Scale Factory), Chase Pettet (Mirantis), and Wayne Haber (GitLab) for contributing with their wonderful suggestions for this blog post.