Posts under Kubernetes Security
The container orchestrator war is over, and Kubernetes has won. With companies large and small rapidly adopting the platform, security has emerged as an important concern – partly because of the learning curve inherent in understanding any new infrastructure, and partly because of recently announced vulnerabilities. Kubernetes brings another security dynamic to the table – its defaults are geared towards making it easy for users to get up and running quickly, as well as being backward compatible with earlier releases of Kubernetes that lacked important security features.
Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are. CVE-2019-1002101: kubectl cp could replace or delete files on a user machine This vulnerability is in the kubectl binary – specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
Kubernetes 1.14 is out! As always, we at StackRox are excited to dive in and see what’s new. And this release didn’t disappoint – from major new features and security improvements to small enhancements that simplify the day-to-day life of operators, this update includes a lot to unpack (and a few deprecation warnings to watch out for!). Windows Support is now Stable This feature is the big one: starting with 1.
Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.
When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.
More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.