 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
A few years back, Kubernetes was in full development and many of its basic concepts were still evolving, so security was not a huge priority. But as K8s deployments have moved into production, more attention is being focused in securing Kubernetes and its workloads. Gadi Naor has been following Kubernetes security from the start. Alcide, the company Naor founded and now serves as CTO, offers an end-to-end Kubernetes security platform.
For this week’s episode of The New Stack Context podcast, we speak with Naor about a variety of Kubernetes security-related topics. Last week, Naor hosted a Kubernetes security webinar for the Cloud Native Computing Foundation, which in addition to offering many helpful hints, discussed in detail the spate of recent vulnerabilities found in Kubernetes. And for The New Stack, he wrote about the problem of configuration drift in Kubernetes, and why it can’t be solved simply through continuous integration tools.
TNS editorial and marketing director Libby Clark hosted this episode, alongside TNS senior editor Richard MacManus, and TNS managing editor Joab Jackson.
Episode 128: Operators Can Be a Security Hazard
One of the most surprising parts of the conversation was when Naor had explained his worries about operators, a framework increasingly used to manage complex applications on Kubernetes:
If someone is basically building an operator to deploy a single instance of an application, that’s a wrong use for an operator. You would be way better using Helm charts or customized resources and push stuff to a cluster. Operators run normally as extremely privileged components, from an audit perspective, which means they become a weak link inside your cluster. I try to scan it in [continuous integration] but it means nothing to all the tools because it’s very vendor-specific, irresponsibly-vendor specific. You end up running with something that actually weakens your Kubernetes security posture. So at the end of the day, it makes a lot of sense to create an operator [for Prometheus] because it automates a lot of the wiring of your monitoring systems. And it does that very elegantly. But you have security vendors, which I will not name, that use the operator to deploy a single instance, and is abusing this notion [of an operator].
Other topics discussed include:
Then, later in the show, we take a look at some of The New Stack‘s top posts from the week:
At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: feedback@thenewstack.io.
