 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
The NSA, yes, the National Security Agency, has two jobs. One you know about from my spy movies and the like is to eavesdrop on communications outside the United States. The other half of their job, though, is less well known. Their other job is to protect communications from other would-be snoopers. So, it is that the NSA made the original secure Linux (SELinux); has written guidelines on how to secure video conferencing, text chatting, and collaboration tools; and now explains how to harden Kubernetes against attackers.
This isn’t the first time the NSA has helped us to secure Kubernetes. Their new Kubernetes Hardening Guide has been updated and is more useful today. For instance, the NCC Group saw that the first version’s information about Kubernetes authentication was “largely incorrect” because it claimed Kubernetes doesn’t provide an authentication method by default.” NCC Group noted, though, that Kubernetes supports both token and certification authentication natively.
These improvements are important. We need all the help we can get to secure Kubernetes. According to the Cloud Native Computing Foundation (CNCF)’s 2021 Cloud Native Survey, 96% of organizations now use or evaluate Kubernetes. Indeed, 5.6 million developers are already using Kubernetes worldwide. That’s a resounding 31% of all backend developers.
Now of that huge number how many do you think are securing Kubernetes properly? My guess, based on talking and watching Kubernetes developers at work, is far, far too few. As Red Hat recently pointed out, human error is a leading cause of Kubernetes security mishaps. Indeed, 94% of those surveyed admitted they have experienced a Kubernetes and container environments security incident in the last 12 months.
This is a real problem. Hackers know as well as we do that we’re now living in a world moving to containers and Kubernetes as quickly as possible for all our IT work. That means, as the NSA points out, Kubernetes clusters are a prime target for data theft, computational power theft, and denial of service attacks. And let’s not forget, in times of cyberwar, Kubernetes is a promising target.
Currently, data theft is the number one target. But increasingly cyber actors are trying to hijack Kubernetes clusters for cryptocurrency mining. In short, there are many people out there after your Kubernetes installations and it behooves you to defend as best as you can.
Specifically, the NSA recommends:
That’s all good, but it’s also all rather generic. I hope no matter whether you’re running a single simple Linux, Apache, MySQL, PHP/Perl/Python (LAMP) server or a multi-thousand node, complex Kubernetes cluster, you’re already doing all that.
Of course, patching in Kubernetes environments is hard. Besides Kubernetes itself, numerous other programs run with it and within it to do real work. There’s nothing simple about running Kubernetes so it only makes sense sadly that it’s also hard to secure.
For example, we all know we shouldn’t run applications as root, but by default, many Kubernetes container services run as the root user, and applications execute within them as root even though they don’t need privileged execution. Nonetheless, all too often, the NSA warns us, developers build container applications that execute as root. Why? Because it’s so easy. But it’s also so dangerous.
And, of course, Kubernetes has its fair share of its own security problems. For instance, the Cybersecurity and Infrastructure Security Agency (CISA), NSA’s partner in this guide, recently warned of a critical, with a terribly high CVSS severity score of 8.8, Kubernetes Capsule Operator reverse proxy privilege escalation flaw, CVE-2022-23652.
Securing Kubernetes can be a full-time job. The NSA mentions that there are third-party security programs that can help. Of course, these also come with their own security concerns. On the other hand, given Kubernetes’ complexity, any help you can get from such programs as Calico Cloud, JetStack Secure, and Falco and newer security approaches such as zero trust, is to be welcomed.
