Kubernetes security has turn out to be the focal point for guarding cloud-native workloads amid enterprises as they deploy containers and microservices in creation.
At first, container security experts these types of as Aqua, Twistlock and StackRox targeted on scanning container photographs in the DevOps pipeline, then added container runtime scans for dwell creation environments through brokers deployed on unique hosts.
Far more just lately, nonetheless, these types of resources have shifted their aim to the total Kubernetes platform, adding network-primarily based security controls and plan-pushed mechanisms. A new crop of gamers these types of as Octarine has also emerged they plug in to the network service mesh layer of Kubernetes ecosystem to deepen security visibility.
This development demonstrates escalating maturity at company corporations as they address the significantly-reaching security implications of deploying microservices by using Kubernetes.
“With microservices and containers in typical, you can find possibility to multiply your security danger exponentially, and they multiply the selection of details [in the infrastructure] that will need to be analyzed,” stated Jason Harris, VP of cloud architecture at Aptos, an Atlanta-primarily based software package maker for stores. “Kubernetes is our implies of providing microservices, and we’re wanting at it as a way to deploy programs securely as nicely.”
Aptos initial rolled out container-primarily based microservices in assist of their customers’ retail point-of-sale (POS) methods in late 2018. But in the latter half of 2019, Aptos begun to seem for a software that could precisely automate Kubernetes security. It reviewed goods from Aqua, Twistlock, Qualys and StackRox, and finally selected StackRox.
The StackRox software conquer out incumbent IT security vendor Qualys, which has options for container impression scanning, for the reason that of its aim on container runtime security in the context of the Kubernetes platform, Harris stated. Some Qualys container runtime options are still in beta.
Jason HarrisVP of cloud architecture, Aptos Retail
“Microservices are genuinely levels of containers that deliver a service, and individuals comprise open up source factors or there might be rogue containers,” Harris stated. “[Inside] Kubernetes in typical, [resources] move, and that’s where StackRox provides price: wanting into Kubernetes in addition to the containers.”
The StackRox tactic to Kubernetes security integration was yet another selling point for Aptos about competition that also offer container runtime scanning, these types of as Twistlock and Aqua. StackRox deploys as a privileged DaemonSet in Kubernetes clusters, which Aptos favored as a more simple tactic to Kubernetes security set up.
“When we deploy a new cluster, it truly is just wrapped into that course of action,” Harris stated. “The moment you create that DaemonSet in the cluster, any new nodes are heading to inherit the daemon mechanically.” The much more sophisticated option would demand StackRox to be deployed as a privileged container on each host.
Kubernetes security visibility increases compliance
Buyers of Kubernetes security goods primarily based on host brokers deploy them to nodes mechanically through infrastructure as code (IaC) resources these types of as Terraform, but StackRox also presented robust visibility into Kubernetes cluster configuration. This has assisted Aptos with regulatory compliance in addition to Kubernetes security, because it can simply show auditors a thorough watch of its ecosystem.
“StackRox just lately added a configuration management app that we’ve gotten significantly much more price out of than we expected, for the reason that it truly is turning into a great reporting software on our Kubernetes ecosystem,” Harris stated. “It is really challenging to have visibility into just even easy matters like the selection of clusters [in creation] and the selection of nodes [in them], and what is actually my Kubernetes edition on all individuals clusters?”
Issues in Kubernetes security and security for microservices keep on being, as cloud-native technological innovation continues to evolve at breakneck pace and retail customers need microservices-primarily based mobile applications. This sort of applications will demand Aptos to assist publicly hosted mobile app keep APIs and consumer payment details, upping the microservices security stakes.
Any kind of modify presents security challenges, but as with other company container buyers, Aptos thinks the mixture of IaC automation for Kubernetes deployment and plan-primarily based Kubernetes security automation increases its security posture about resources it used with standard monolithic programs.
“The visibility and the control we have in this globe significantly outweighs the drift that you had in the more mature globe,” Harris stated. “I am going to acquire the troubles in the new globe any day about our legacy difficulties.”
Although Kubernetes security was the principal selling point for StackRox, Harris stated he’s wanting forward to upcoming advancements in the tool’s container scanning options for photographs in container registries, which has lagged that of some other container security experts and container registry resources these types of as Purple Hat Quay.
“The watch we essential was, ‘OK, show me this vulnerability across all my photographs, and if I flip to an impression, show me any vulnerabilities previously mentioned a specified level,'” he stated. “Ideally, we’ll get there shortly.”
A StackRox attribute that shows vulnerabilities in container photographs in a registry, such as their severity level, was previewed at KubeCon in November, and will turn out to be commonly readily available this thirty day period, a organization spokesperson stated.