The State of Kubernetes Security in 2020

There has been a significant shift in the Kubernetes community to security topics in the past year. According to the StackRox State of Container and Kubernetes Security Report, Fall 2020, human error causes most security incidents in Kubernetes, with misconfigurations contributing to roughly 67% of cases reported by survey respondents. At KubeCon and Cloud-Native Con North America, Kubernetes security topics made up the largest percentage of overall sessions this year. The CNCF survey report in 2019 highlights security, cultural, and complexity challenges as the most significant issues facing Kubernetes adoption. It would seem that the community is looking for reasonable solutions to their Kubernetes security concerns.

StackRox took note of these issues early on in the development of our Kubernetes-native security platform. By recognizing that people and security go hand in hand, we created a platform that enables security and engineering teams to protect Kubernetes clusters. The usual implementation question remains: where do we implement security and configuration fixes? There has been a significant push to perform security checks as early as possible. The term “shift left” is often used to describe this movement of empowering developers to implement security controls and checks. However, this does not solve the issue of complexity and cultural challenges. With “shift-left”, we require our developers to understand the application, Kubernetes, security considerations, and more. This overhead cuts against the goal of using cloud-native technologies to empower developers to release software more quickly.

What is KubeLinter?

KubeLinter is an open-source static analysis tool to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate security checks of Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. The security checks validate that a Kubernetes cluster configuration follows security best practices. With standard built-in checks, developers and teams can get immediate feedback about misconfigurations and violations of Kubernetes policies. This enhances developer productivity, integrating security-as-code with DevOps and DevSecOps processes while ensuring the automatic enforcement of hardened security policies for Kubernetes applications.

What does KubeLinter do?

KubeLinter analyzes YAML files and Helm charts and runs Kubernetes-native security checks to identify elevated access, misconfigurations, and general best practice violations. KubeLinter is a Go-based binary used on the command line or part of a CI pipeline and gives developers the necessary security checks before allowing any Kubernetes configuration changes. There are currently 19 security checks that come built into the CLI. Some examples include:

  • Using the default-service-account
  • Mismatching selectors
  • Running a container as root
  • Setting a writable host mount

KubeLinter’s defaults are security-centric, so users will have to explicitly opt in to configure Kubernetes in an insecure manner. The built-in checks provided by KubeLinter can be extended to include custom checks for many Kubernetes configuration parameters. Individual checks can be enabled or disabled as well, with annotations giving the ability to pass single specific configuration checks. As an open-source tool available under the Apache 2.0 license, users can also contribute to the project by extending KubeLinter with additional checks.

What Makes KubeLinter Different?

KubeLinter’s focus on being a Kubernetes-native tool leads to the following advantages:

  • Easy to learn
  • Ease of implementation
  • Additional functionality solely focused on Kubernetes
  • Pre-configured security and misconfiguration checks
  • Go-based CLI similar to kubectl
  • A community-based tool that grows with your needs

KubeLinter go-based CLI architecture allows it to be easily installed in existing pipelines or used on the command-line. It uses a similar package and CLI architecture as kubectl, leading to little knowledge required to test and use it. KubeLinter policies can be enabled or disabled, and the checks can be ignored with annotations. KubeLinter gives immediate feedback about how to rectify a misconfiguration or security issue. This approach to security means reasonable checks with little to no workflow changes. KubeLinter means declarative security and Kubernetes-focused security rules that can be easily accessed and viewed.

How to Learn More?

KubeLinter’s success will rely on the community. As Kubernetes continues to grow, StackRox views KubeLinter as a security enablement tool that simplifies security and makes the day-to-day usage of Kubernetes by community end users safer and more secure.

Watch the lead developer Viswa Venugopal talk about KubeLinter basics