Posts under Kubernetes Security
A new Kubernetes security vulnerability was announced today, along with patch releases for the issue for Kubernetes versions 1.13, 1.14, and 1.15. CVE-2019-11247 discloses a serious vulnerability in the K8s API that could allow users to read, modify or delete cluster-wide custom resources, even if they only have RBAC permissions for namespaced resources. If your clusters aren’t using Custom Resource Definitions (CRDs), you aren’t affected. But CRDs have become a critical component of many Kubernetes-native projects like Istio, so many users are impacted.
The awards just keep rolling in … We are thrilled to announce that StackRox has been chosen as a Gold Winner at the 14th Annual Network Products Guide’s 2019 IT World Awards in the Security Services category. StackRox was recognized for our container-native and Kubernetes-native security solution to help our customers protect containers and Kubernetes environments throughout the container life cycle. Containers and Kubernetes have drastically accelerated and streamlined cloud-native application development and deployment, with organizations across industries containerizingtheir most critical production workloads at an ever increasing pace.
We recently repeated our survey of IT and security practitioners to understand the state of security in your container and Kubernetes environments. In our inaugural survey last year, the key findings included: Lack of adequate security strategy topped the list of container strategy concerns Runtime was the lifecycle phase that was of most concern from a security perspective Kubernetes was used by just over half (57%) of respondents for container orchestration This time around we expanded the audience from 230 to more than 390 IT and security practitioners.
Right on the heels of winning two CODiE awards, StackRox was just named a Computer Reseller News 2019 Emerging Vendor. StackRox and our Kubernetes-native container security platform were chosen for our ability to help organizations harden and secure Kubernetes environments at scale. DevOps practices and the cloud-native stack provide the channel with rich opportunities to help companies enable business transformation. The underlying technologies of containers and Kubernetes, however, wreak havoc with traditional security tooling and processes.
Kubernetes is by far the most widely used container orchestrator in the market, and Kubernetes adoption – especially in production environments – is taking off. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.” The explosion in Kubernetes adoption hasn’t been without its share of security concerns. Earlier this year, the runC vulnerability, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered.
This is the third article of a three-part blog series reviewing Gartner Security & Risk Management Summit 2019. Don’t forget to read article one titled Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List, and article two titled Gartner on Securing Cloud-Native Apps. We’ve been sharing the highlights of Gartner’s recent Security conference – the inclusion of container security in Gartner’s list of Top 10 Security Projects for 2019 and Best Practices for Securing Cloud-native Apps.
Another quarter, another Kubernetes release! On June 19, the Kubernetes Release Team announced the delivery of Kubernetes 1.15. The first thing that jumps out about Kubernetes 1.15 is that, in contrast to previous releases, it introduces relatively few new features. This is actually exciting! It is a sign that the project has reached a certain level of stability and maturity. Organizations can now more easily hop on the Kubernetes train, without having to worry about keeping up with the same flurry of feature additions and deprecations (along with rapidly-changing best-practices) that has been the norm until now.
Anyone who has even a passing interest in Kubernetes and the cloud native ecosystem has probably heard of Istio. Getting a clear description of what exactly Istio is, what it can (and can’t) do, and whether it’s a technology you might need are all a little harder to find. Hopefully, this post will help clear up some of the confusion. The Istio Service Mesh What is a service mesh? The term “service mesh” can apply either to the set of overlapping network connections between services in a distributed application or to a set of tools used to manage that group of connected services.
Today news broke that Palo Alto Networks (NYSE: PANW) is buying container security startup Twistlock for approximately $410 million. The acquisition provides great validation of the container security market and broader cloud-native security market. Twistlock is Palo Alto’s third security acquisition since Nikesh Arora took over as CEO and reflects the growing importance of the broader cloud security market. Enterprises today are looking for ways to enforce security and compliance policies as they embrace the business benefits of cloud-native application architectures across multi-cloud and hybrid cloud environments.
The container orchestrator war is over, and Kubernetes has won. With companies large and small rapidly adopting the platform, security has emerged as an important concern – partly because of the learning curve inherent in understanding any new infrastructure, and partly because of recently announced vulnerabilities. Kubernetes brings another security dynamic to the table – its defaults are geared towards making it easy for users to get up and running quickly, as well as being backward compatible with earlier releases of Kubernetes that lacked important security features.
Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are. CVE-2019-1002101: kubectl cp could replace or delete files on a user machine This vulnerability is in the kubectl binary – specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
Kubernetes 1.14 is out! As always, we at StackRox are excited to dive in and see what’s new. And this release didn’t disappoint – from major new features and security improvements to small enhancements that simplify the day-to-day life of operators, this update includes a lot to unpack (and a few deprecation warnings to watch out for!). Windows Support is now Stable This feature is the big one: starting with 1.
Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.
When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.
More and more organizations are transforming their businesses by embracing DevOps principles, microservice design patterns, and container and orchestrator technologies such as Docker and Kubernetes. While security teams have the same mission regardless of the technology stack in use – keep the bad guys out and find and stop them if they do break in – the tools and tactics security staff employ must change to accommodate this infrastructure shift.