4 Ways To Solve Kubernetes Security Risks As Highlighted At The Securing GKE Workloads Webinar
The Securing GKE Workloads webinar is one to remember. Presented by Deimos with support from Google and ITWeb: the webinar featured moderation from Thami Nkadimeng and highly...
26/05/2022 | 2 Minute Read
Administrative and Marketing Coordinator
The Securing GKE Workloads webinar is one to remember. Presented by Deimos with support from Google and ITWeb: the webinar featured moderation from Thami Nkadimeng and highly insightful keynote sessions from Jaco Nel, Chief Technology Officer at Deimos and Jonathan Frankel, Customer Engineer at Google Cloud. Jaco and Jonathan spoke on ‘Kubernetes Security: Risks, Security Controls and Best Practices’ and ‘Binary Authorization with GCP and GKE’ respectively.
According to Jaco Nel and Jonathan Frankel, a Shift left, Zero Trust, and the concept of least privilege, among others, are some solutions that organisations must use to solve Kubernetes security risks. The risks and effects are evident given a recent report from Red Hat that polled 300 DevOps, Engineering, and Security professionals about how their firms were addressing the challenges and protecting their applications. 55% of the respondents said their firm had to delay an application rollout because of security concerns over the last 12 months. If you missed the webinar, continue reading to discover how to solve Kubernetes security risks.
- Shift Left: Jaco Nel urged attendees on the need to Shift Left and introduce security to every level of the developer life cycle. He clarified that this should not only occur in the processing of information but also in the education of engineers. The urgent need to Shift Left can perhaps be further emphasised by the likelihood of Kubernetes attacks occurring from different areas. Jaco stated, “We have detected a few possible attack surfaces in Kubernetes, in the areas of infrastructure, access control, container security, secret management and runtime security’’.
- Zero Trust: According to Jaco Nel, enabling private endpoints and limiting public access should be the priority for security while working with GKE. “Establish your worker nodes to be in a private subnet with no available public IP addresses, configure authorised networks to restrict access to the K8s API, and utilise Cloud NAT to permit outbound access from private worker nodes’’. Jonathan Frankel emphasised this further by stating, “Businesses need to have an access policy based on jobs or verification status. A need to clarify who can access things. What does your data access policy look like? We talk a lot about Zero trust, Principle of Least Privilege (POLP). Make sure that this is all done in the most secure way possible.’’
- Principle of Least Privilege (POLP): Jaco Nel went further to advise businesses on the Principle of Least Privilege, “Use a custom Google Service Account and follow the concept of least privilege, enable workloads to access Google Services using Workload Identities, let GKE maintain the control plane version of the cluster automatically, and enable application-layer secrets encryption for GKE clusters.’’
- Scan For Weaknesses, Store Privately and Incorporate CI/CD: For container security, Nel advocated beginning small and trustworthy, with no embedded secrets, scanning for weaknesses, storing privately, being cautious with versioning, and utilizing CICD. “Utilise the built-in Kubernetes Secrets or Google Secret Manager for secret management. If you need to commit secrets to version control, encrypt it before committing to version control. For runtime security, the one key thing to do is ‘say no to root’. Very few containers require the ability to run as root, yet the majority of containers in public registries still have their process running as root. Utilise network policies and container and pod security context to limit the functionality of workloads running in Kubernetes.”
The webinar recording is available on our YouTube channel.
Schedule a session free of charge to discuss security-related issues or concerns with one of Deimos’ security engineers. Also, follow us on Linkedin, Twitter, Facebook and Instagram to be the first to know about the latest events and offers from Deimos.