January 4, 2023

The latest report regarding security on Kubernetes showed that the system suffers pervasive attacks, many of which stem from human error. These security flaws slow down innovation and delay the rollout of new applications, among other unwanted effects.

In Red Hat’s latest monthly report on Kubernetes security, a survey of 300 professionals (DevOps, security experts, and engineers) found that 93 percent of them had encountered one or more Kubernetes security problems over the past year. Some of these incidents (those reported by 31 percent of the surveyed professionals) resulted in customer or revenue loss.

Red Hat listed multiple factors contributing to these incidents, including:

  • Inadequate or poorly deployed security measures
  • Insufficient operating knowledge regarding security for Kubernetes or containers
  • Security teams falling behind application development teams

Posting about the report on May 17, Red Hat noted that security is still a top concern when it comes to container adoption. Red Hat’s further observations:

There are always security issues when new technology is brought into a traditional IT environment. However, containers pose additional challenges because their security needs to be considered across the complete application lifecycle, from development to deployment to maintenance. The report shows that 31 percent of survey respondents listed security as their top concern with employing container strategies. Additional problems reported by respondents include slow progress (22 percent) and the skill gap related to Kubernetes and container security (20 percent).

Red Hat’s report shows that human error was a significant factor in an overwhelming 95 percent of data breaches. Kubernetes and container architecture are powerful, but they were designed primarily to boost developer productivity, with security less of a priority. For example, the default network settings for pod-to-pod communication are intended to speed up the launch of a cluster, neglecting factors like security hardening. As a result, more than half of the survey respondents saw misconfiguration incidents in their environments in the past year. Additional worrisome security findings: 38 percent of respondents found significant vulnerabilities, 30 percent had experienced runtime security incidents, and 22 percent failed on audit.

More On Kubernetes Security Issues

Red Hat noted that Kubernetes and containers remain widespread, with many organizations embracing innovation-friendly concepts and investing in cloud-native environments. However, the company cautioned that organizations must invest in security, both strategies, and tools, at the same time. These critical investments are necessary to ensure application security and rollout schedules are safe.

Additional stats from the survey in Red Hat’s report:

  • 78 percent of respondents have DevSecOps initiatives (initial or advanced stages)
  • 57 percent of respondents are most concerned with runtime workload security
  • 55 percent had to delay application deployment due to Kubernetes security issues
  • 51 percent require validated images from their developers
  • 43 percent assign chief responsibility for Kubernetes security to the DevOps role

Red Hat's post also included four tips for improved Kubernetes security:

  1.  Use security architectures and controls that are Kubernetes-native. This approach to security effectively uses native controls and rich declarative data inherent in the architecture. Declarative data analysis within Kubernetes improves overall security by delivering risk-based insight into Kubernetes-specific vulnerabilities, configuration management, segmentation, and compliance.
  2.  Start addressing security early, but continue prioritizing through the entire cycle to runtime. Developers and DevOps teams tend to view security as a hindrance to their priority to code quickly. However, when appropriately employed, Kubernetes can turn security into an accelerator, allowing developers to take a holistic approach to asset security.
  3.  Security must be prepared to work with hybrid environments. It’s normal for organizations to deploy containers on the ground and in public clouds, sometimes in multiple clouds. Therefore, security must remain consistent no matter where your assets are used. As Kubernetes serves as a common foundation for hybrid assets, it can also be the consistent layer of visibility that allows you to apply and assess your security.
  4.  Foster closer collaboration between Security and DevOps, giving the developer a greater appreciation for security needs. In most organizations, developers are expected to employ container security. The right security tooling must bring DevOps and Security into alignment. Security controls must be rational when deployed in a Kubernetes/container environment. Controls also need to assess risk effectively in such environments.

The Red Hat post specifically called attention to the link between the second and fourth points here, noting that closer collaboration between specialists in development and security can make security an asset from the developer’s point of view.

Adopting Kubernetes and container architecture continues to offer considerable advantages, even with the potential drawbacks of security problems. These concerns can be minimized when implementing an appropriate security platform incorporating internal controls and developers’ best practices. In addition, such a platform can and should assess the security condition of the Kubernetes environment itself. This leaves developers free to concentrate on the features they need to deliver.