Posts under Kubernetes Security
A new Kubernetes security vulnerability was announced today, along with patch releases for the issue for Kubernetes versions 1.13, 1.14, and 1.15. CVE-2019-11247 discloses a serious vulnerability in the K8s API that could allow users to read, modify or delete cluster-wide custom resources, even if they only have RBAC permissions for namespaced resources. If your clusters aren’t using Custom Resource Definitions (CRDs), you aren’t affected. But CRDs have become a critical component of many Kubernetes-native projects like Istio, so many users are impacted.
Right on the heels of winning two CODiE awards, StackRox was just named a Computer Reseller News 2019 Emerging Vendor. StackRox and our Kubernetes-native container security platform were chosen for our ability to help organizations harden and secure Kubernetes environments at scale. DevOps practices and the cloud-native stack provide the channel with rich opportunities to help companies enable business transformation. The underlying technologies of containers and Kubernetes, however, wreak havoc with traditional security tooling and processes.
Kubernetes is by far the most widely used container orchestrator in the market, and Kubernetes adoption – especially in production environments – is taking off. According to Gartner, “by 2022, more than 75% of global organizations will be running containerized applications in production.” The explosion in Kubernetes adoption hasn’t been without its share of security concerns. Earlier this year, the runC vulnerability, which allows an attacker to gain host-level code execution by breaking out of a running container, was discovered.
This is the third article of a three-part blog series reviewing Gartner Security & Risk Management Summit 2019. Don’t forget to read article one titled Gartner’s Top 10 Security Projects for 2019 - Container Security Makes the List, and article two titled Gartner on Securing Cloud-Native Apps. We’ve been sharing the highlights of Gartner’s recent Security conference – the inclusion of container security in Gartner’s list of Top 10 Security Projects for 2019 and Best Practices for Securing Cloud-native Apps.
Anyone who has even a passing interest in Kubernetes and the cloud native ecosystem has probably heard of Istio. Getting a clear description of what exactly Istio is, what it can (and can’t) do, and whether it’s a technology you might need are all a little harder to find. Hopefully, this post will help clear up some of the confusion. The Istio Service Mesh What is a service mesh? The term “service mesh” can apply either to the set of overlapping network connections between services in a distributed application or to a set of tools used to manage that group of connected services.
Kubernetes is a powerful tool for building highly scalable systems. As a result, many companies have begun, or are planning, to use it to orchestrate production services. Unfortunately, like most powerful technologies, Kubernetes is complex. How do you know you’ve set things up correctly and it’s safe to flip the switch and open the network floodgates to your services? We’ve compiled the following checklist to help you prepare your containers and kube clusters for production traffic.
We’re excited to announce today that we’ve added support for the latest version of the Google Cloud Security Command Center (Cloud SCC). StackRox has collaborated with the Cloud SCC team as part of our Google Cloud partnership since Cloud SCC’s alpha release, and we’re excited that the platform is now generally available. The StackRox Kubernetes Security Platform enables customers to meet their security and compliance requirements across the container lifecycle, and we’ve integrated deeply with Kubernetes to deliver the key capabilities essential to an effective container security solution.
The container orchestrator war is over, and Kubernetes has won. With companies large and small rapidly adopting the platform, security has emerged as an important concern – partly because of the learning curve inherent in understanding any new infrastructure, and partly because of recently announced vulnerabilities. Kubernetes brings another security dynamic to the table – its defaults are geared towards making it easy for users to get up and running quickly, as well as being backward compatible with earlier releases of Kubernetes that lacked important security features.
Two Kubernetes security vulnerabilities were disclosed yesterday: CVE-2019-1002101, a high severity issue, and CVE-2019-9946, a medium severity issue. Read on for a description of the vulnerabilities and their impact, how to know whether you’re affected, and what the remediation steps are. CVE-2019-1002101: kubectl cp could replace or delete files on a user machine This vulnerability is in the kubectl binary – specifically, in the kubectl cp command. An attacker can exploit this vulnerability to write files to any path on the user’s machine, limited only by the system permissions of the local user.
Kubernetes provides several built-in security capabilities, including network security, resource isolation, access control, and logging and auditing. One of the more recent security capabilities is a group of plugins known as admission controllers. Admission controllers enable governance and enforcement of how clusters are used. Kubernetes ships with over 30 admission controllers, which are listed here along with their descriptions. This article assumes you have a basic understanding of admission controllers, but if you are unfamiliar with them, check out Kubernetes reference guide on admission controllers to learn more.
Like the “participation” trophy every kid on the soccer team wins in kindergarten, some industry awards just don’t carry much clout. The SC Magazine awards? Now that’s a different story. These awards, announced in conjunction with the RSA Conference every year, bestow a huge amount of prestige on the companies and technologies they celebrate. The award submissions are incredibly competitive, and I know of many companies who try year after year to win and fall short.
When we officially launched the StackRox Kubernetes Security Platform about 18 months ago, we highlighted that microservices, containers, and Kubernetes were the next stage in the evolution of application development in the cloud-native stack. While DevOps embraced microservices and its advantages in delivering unprecedented speed, efficiency, and portability, security teams were frequently left in the dark or brought in a little too late. Today, security teams are proactively working with DevOps to ensure that their organization’s security and compliance requirements are adequately addressed before new apps go live.
In 2018, we learned about several Kubernetes security vulnerabilities, with the latest Kubernetes security flaw being the most severe. The last few Kubernetes releases have both introduced new security features and also provided critical security patches to help resolve some of the most impactful Kubernetes security issues and shortcomings to date. As you start the new year, take a look at the version of your Kubernetes clusters. If you are still using an older version, we highly recommend you promptly upgrade to the latest release.
The year 2018 was a watershed for containers, container security, and Kubernetes. Tesla got hacked, the most critical Kubernetes vulnerability to date was discovered, IBM bought RedHat for $34 billion (in large part for OpenShift), VMware bought Heptio for more than $500 million, and investors poured money into container technology startups at an ever-increasing pace. The Following five blog articles capture and distill the big picture trends in container adoption and Kubernetes security in 2018.