This week, the Kubernetes Product Security Committee disclosed a new security issue (CVE-2020-8554) that affects every version of Kubernetes. It is medium severity and no patch is available. Kubernetes administrators are advised to (1) limit certain cluster permissions as well as (2) restrict and manually audit external IP usage within clusters. It is also recommended that multi-tenant cluster scenarios be reconsidered where possible and appropriate. Vulnerability Summary CVE-2020-8554 is a man-in-the-middle (MITM) vulnerability that exists in every version of Kubernetes with the most significant impact on multitenant clusters.
The State of Kubernetes Security in 2020 There has been a significant shift in the Kubernetes community to security topics in the past year. According to the StackRox State of Container and Kubernetes Security Report, Fall 2020, human error causes most security incidents in Kubernetes, with misconfigurations contributing to roughly 67% of cases reported by survey respondents. At KubeCon and Cloud-Native Con North America, Kubernetes security topics made up the largest percentage of overall sessions this year.
This is the last installment in our four-part OpenShift security blog series. Don’t forget to check out our previous blog posts in the series: Part 1 - OpenShift security best practices for designing clusters Part 2 - OpenShift networking and cluster access best practices Part 3 - OpenShift runtime security best practices Read this blog post to learn about security best practices when building container images in Red Hat OpenShift environments.
The Cloud Native Computing Foundation’s (CNCF) flagship Kubernetes and cloud-native conference went completely virtual this year. KubeCon + Cloud-NativeCon North America took place last week over four days (November 17-21) with many unique sessions and topics. The keynote sessions took place from Wednesday to Friday for 2 hours each. Speaker sessions lasted 45 minutes and covered many different topics. Unfortunately, attendees could only focus on a single session at a time.
As we close another inspirational KubeCon and look ahead to future gatherings, let’s also pause to reflect on the accomplishments we’ve achieved together as members of the cloud-native community. For most of us, 2020 was one of the most challenging periods in our personal and professional lives. Most of us experienced unprecedented stress and anxiety as our lives were altered by the pandemic. Some of us experienced far worse – severe illness or grief over the loss of loved ones.
KubeCon Announcement and Linux Foundation Update On Tuesday during KubeCon, the Cloud Native Computing Foundation (CNCF) announced the Certified Kubernetes Security Specialist certification is now generally available. The announcement confirmed important information that we previously outlined in our most recent blog detailing the CKS. Thanks to the updates from the Linux Foundation documentation, the updated exam structure is: 2 hours long Require a passing score of 67% 15-20 performance-based tasks Uses Kubernetes version 1.
This is part three of our four-part OpenShift security blog series. Don’t forget to check out our previous blog posts in the series: Part 1 - OpenShift security best practices for designing clusters Part 2 - OpenShift networking and cluster access best practices Adhering to best practices for running your workloads in OpenShift is critical to keeping the cluster and all its workloads safe. While Kubernetes provides several capabilities that can help protect your workloads, it’s up to you to use them to safeguard your cloud-native applications.
As the brainchild behind the Borg project – the predecessor to Kubernetes – Google Cloud is at the forefront of enabling the move towards microservices architectures, containerization, and Kubernetes. As the only Kubernetes-native container security solution provider, StackRox is a leader in Kubernetes Security and has partnered with Google Cloud on several fronts to help joint customers secure their cloud-native stack and address their share of the security responsibility. Customers leverage our deep integration with Google Cloud services such as Google Kubernetes Engine (GKE), Anthos, Container-Optimized OS, Cloud Security Command Center, Google Container Registry, and Google Container Analysis, to protect their cloud-native applications.
What is the Certified Kubernetes Security Specialist (CKS)? The CKS is the third Kubernetes based certification backed by the Cloud Native Computing Foundation (CNCF). CKS will join the existing Certified Kubernetes Administrator (CKA) and Certified Kubernetes Application Developer (CKAD) programs. All three certifications are online, proctored, performance-based exams that will require solving multiple Kubernetes security tasks from the command line. With the massive investment into Kubernetes over the last five years, these certifications continue to be highly sought after by many seeking technical knowledge about Kubernetes.
This blog post is part two of a four-part blog series where we discuss various OpenShift security best practices for Designing secure clusters Securing the network and cluster access (topic of this blog) Building secure images (future blog) Protecting workloads at runtime (future blog) OpenShift Networking Best Practices for Security The concept of zero-trust security has emerged to address the new security challenges of cloud-native architecture. These challenges include:
Red Hat’s OpenShift Container Platform (OCP) is a Kubernetes platform for operationalizing container workloads remotely or as a hosted service. OpenShift enables consistent security, built-in monitoring, centralized policy management, and compatibility with Kubernetes workloads. The rapid adoption of open source projects can introduce vulnerabilities in standard Kubernetes Environments. OCP supports these projects internally, allowing users to gain open source advantages with a managed product’s stability and security. OpenShift offerings include five managed and two hosted options.