Posts under kubernetes security
StackRox is continuing to shape the future of Kubernetes by enabling customers to build, deploy and run cloud-native applications at scale securely. In recent months, we have released several new, important features covered in this post, focusing on enhanced detection capabilities and simplified administrative workflows. This focus drove new protections for the Kubernetes API server, additional context for the Network Graph, support for the syslog protocol, and a simplified Helm chart installation and upgrade process.
Kubernetes namespaces are a central part of how we structure, deploy, and manage containers today. However, namespaces are not a new concept; in fact, Linux namespaces were introduced in 2002 and designed to separate and group individual processes and capabilities. So how did the idea grow to be used in the robust fashion it is used today? This blog will review; What is a Namespace? What makes Kubernetes Namespace different?
Why Kubernetes? When containers first broke onto the scene, it was immediately apparent that it was a disruptive technology. What was not clear was how containers were going to be scaled and orchestrated effectively. In the early days, the container orchestration competition was intense, with applications such as Docker Swarm, Apache Mesos, and Kubernetes aiming to address this issue. However, in the last six years, Kubernetes has differentiated itself and pulled away as the clear container orchestration choice.
Chris Porter, Director of Solutions Engineering at StackRox recently joined Cloud Economist, Corey Quinn on ‘Screaming in the Cloud’ for a chat about eliminating security risks in Kubernetes. You can listen to the conversation in the podcast episode below, or you can read through the transcript that follows, condensed and modified for clarity. Corey Quinn: Welcome to screaming in the cloud. I’m Corey Quinn. I’m joined on this promoted episode by Chris Porter, Director of Solutions Engineering over at StackRox.
KubeCon Announcement and Linux Foundation Update On Tuesday during KubeCon, the Cloud Native Computing Foundation (CNCF) announced the Certified Kubernetes Security Specialist certification is now generally available. The announcement confirmed important information that we previously outlined in our most recent blog detailing the CKS. Thanks to the updates from the Linux Foundation documentation, the updated exam structure is: 2 hours long Require a passing score of 67% 15-20 performance-based tasks Uses Kubernetes version 1.
This is part three of our four-part OpenShift security blog series. Don’t forget to check out our previous blog posts in the series: Part 1 - OpenShift security best practices for designing clusters Part 2 - OpenShift networking and cluster access best practices Adhering to best practices for running your workloads in OpenShift is critical to keeping the cluster and all its workloads safe. While Kubernetes provides several capabilities that can help protect your workloads, it’s up to you to use them to safeguard your cloud-native applications.
What is the Certified Kubernetes Security Specialist (CKS)? The CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking technical knowledge about Kubernetes.
Red Hat’s OpenShift Container Platform (OCP) is a Kubernetes platform for operationalizing container workloads remotely or as a hosted service. OpenShift enables consistent security, built-in monitoring, centralized policy management, and compatibility with Kubernetes workloads. The rapid adoption of open source projects can introduce vulnerabilities in standard Kubernetes Environments. OCP supports these projects internally, allowing users to gain open source advantages with a managed product’s stability and security. OpenShift offerings include five managed and two hosted options.
Organizations are rapidly moving their Kubernetes applications to production to accelerate feature velocity and drive digital transformation and business growth. Our latest State of Kubernetes Security survey report shows that companies have standardized on Kubernetes, and this rapid adoption offers equal parts promise and peril. Promise, in the form of infrastructure that enables far greater inherent security than ever before. And peril, as companies struggle to overcome a skills gap and configure the technology in the most secure manner.
Faster application development and release, quicker bug fixes, and increased feature velocity are three of the most often cited benefits of containerization. However, when security becomes an afterthought, you risk diminishing the greatest gain of containerization – agility. Rolling out an application that hasn’t passed a security assessment puts the business at too great a risk. To prevent delays in application deployment and realize the benefits of containers and Kubernetes, organizations must shift left with security, building it into the development phase so they can address as many security challenges as possible during the build stage.
To understand how to effectively secure your Kubernetes environments, it is informative to understand the architecture of Kubernetes itself as well as where and how to focus efforts on valuable mitigations, especially those which require administrator or user configuration when provisioning clusters. Kubernetes is a robust yet complex infrastructure system for container orchestration, with multiple components that must be adequately protected. Each Kubernetes cluster consists of two sets of components: (1) the control plane which is used to manage operations throughout the cluster, and (2) the cluster’s worker nodes which run containerized applications in pods.
We were already having a great day yesterday – responding to all the congratulations messages on our funding, our huge 240% increase in revenue, and our customer momentum – when news hit that we were named amongst that select group of SINET 16 Innovator Award winners. Wow. The tally of security vendors hovers around 2500, and we’re called out as one of the 16 most innovative across that entire landscape. This recognition is just one more indicator of the power of our unique approach to securing cloud-native infrastructure.
I’ve had the good fortune to get to know Pathik Patel, head of cloud security at Informatica, over the past 18 months since he became a StackRox customer, and today we’re sharing the news of our joint success story. Across our numerous conversations, he has repeatedly impressed me with his forward thinking on how to innovate security processes, approaches, and tooling to keep Informatica at the forefront of securely enabling sophisticated data management, detailed in this case study.
Right on the heels of last week’s news that we’re providing Kubernetes security for DoD’s Platform One software factory, we’re excited to share today that we’ve been awarded a Phase III contract with the Department of Homeland Security. In this stage of our partnership, we’re deploying our Kubernetes Security Platform to protect running systems at a large U.S. bank. The DHS Science and Technology Directorate (S&T) uses its Silicon Valley Innovation Program (SVIP) to invest in next-generation security technologies to protect critical infrastructure, including mission-critical, cloud-native applications for financial institutions.
Part six of our nine-part blog series – where we examine each of the nine MITRE ATT&CK tactics and techniques for Kubernetes – covers Credential Access, a set of activities intended for stealing sensitive credentials such as application secrets, passwords, and tokens that may be used by either users or service accounts. These credentials can subsequently be used to gain access to resources that include applications, cluster resources (e.g., pods, controllers, or other Kubernetes objects), cloud resources, and others.
StackRox is in the midst of our own “Fed ramp” of sorts, with news today that we’ve been awarded a Department of Defense SBIR Phase II Award, our long history with In-Q-Tel and multiple deployments in the U.S. Intelligence Community, and more news coming soon on additional Fed initiatives. We have deep roots in protecting the cloud-native apps of many civilian and Intelligence Community agencies, including our long partnership with In-Q-Tel.