As the use of containers rises in popularity in test and production environments, there is certainly an increase in demand for a means to manage and orchestrate them. Of all the orchestration tools, Kubernetes (K8s) has emerged as the market leader in cloud-native environments. Unfortunately, Kubernetes is not as adept at security as it is at orchestration. Portshift believes it is critical to use the right deployment architecture and security best practices for all deployments.
To make this a reality, Portshift has announced five security best practices for DevOps and development professionals managing Kubernetes deployments.
Take a look at five security best practices for tackling the K8’s security challenge:
- Authorization: Kubernetes offers several authorization methods which are not mutually exclusive. It is recommended to use RBAC and ABAC in combination with Kubernetes where RBAC policies will be forced first, while ABAC policies complement this with finer filtering.
- Pod Security: Since each pod contains a set of one or more containers, it is essential to control their communication. This is done by using Pod Security Policies which are cluster-level resources that control security sensitive aspects of the pod specification.
- Container Security: Kubernetes includes basic workload security primitives related to container security. However, if apps, or the environment, are not configured correctly, the containers become vulnerable to attacks.
- Migration to Production: As companies move more deployments into production, that migration increases the volume of vulnerable workloads at runtime. This issue can be overcome by applying the solutions described above, as well as making sure that your organization maintains a healthy DevOps/DevSecOps culture.
- Securing CI/CD Pipelines on Kubernetes: Running CI/CD on Kubernetes allows for the build-out, testing, and deployment of K8‘s environments that can quickly be scaled as needed. Security must be baked at the CI/CD process because otherwise attackers can gain access at a later point and infect your code or environment.
As Portshift puts it, integrating these security measures into the early stages of the CI/CD pipeline will enable organizations to detect security issues earlier.
Portshift also added that the service mesh is a powerful complement to K8’s security infrastructure. Used in conjunction with Kubernetes, the service mesh supports applied security at the service level, not just at the network level.