Best practices to secure your Kubernetes workloads

If your organization isn’t already using Kubernetes to orchestrate your cloud computing workloads, be warned: it’s coming fast. And if you’re responsible for securing that work, you’ll have some tough decisions to make.

It’s easy to see why Kubernetes is so popular. Containers offer a more efficient alternative to virtualization, letting you run applications without the effort of managing a new virtual system each time. And Kubernetes gives you the flexibility to manipulate and orchestrate those bite-sized workloads in a creative, constructive way.

To do that, it groups similar containers into scheduling wrappers called pods, which make it easier to control and scale your workloads, automatically spinning up resources to match demand.

So far, so useful. But it’s a new concept—with a whole new vocabulary—that doesn’t always fit comfortably with traditional cybersecurity methods.

As a result, Kubernetes is often secured using a standalone set of tools so having the visibility you need to protect these short-lived workloads is a challenge. And that can complicate the picture at a time when the industry is generally converging around a simpler, more unified security approach.

New tools for a new way of working

If you’re looking into securing Kubernetes workloads for the first time, you might struggle to find a single, well-defined picture of best practices.

The leading analysts back different approaches, and sometimes use competing terms for similar ideas. For instance, Gartner uses the term “continuous adaptive risk and trust assessment”, or CARTA, while Forrester prefers “unstructured data security” along the lines of Google’s BeyondCorp platform.

In both cases, we’re talking about a zero-trust approach. It’s a little like zero-trust network access (ZTNA), where you query the identity of the user at every stage—except, instead of users, we’re attempting to verify workloads.

That takes specialist tools, designed for the way Kubernetes works.

For example, traditional firewalls rely heavily on understanding the IP address the traffic is heading from and to. But in Kubernetes, workloads move around so quickly that the IP address is almost meaningless—to operate a zero-trust model, your firewall needs to understand namespaces and metadata, so it can track the traffic right down to the pod.

You also want to be able to recognize the application, the hostname, and the port, as well as the query string and meta information from web requests.

Once you’ve identified the traffic, you also need to verify it—to confirm that a pod is labeled correctly, or that it’s running the most secure, up-to-date version of a library. And you need to be able to catch and isolate workloads that are behaving atypically.

Putting a traditional firewall in front of Kubernetes will offer some protection, but ultimately it won’t give you the granular control you need.

A patchwork of solutions and approaches

That’s not to say that working with Kubernetes is insecure. Good security tools are available, often deployed as plugins within the platform itself.

Ingress controllers can offer web application firewall-type security, inspecting URLs and routing traffic based on the path and query string. There are also cloud security posture management (CSPM) tools that integrate directly with native Kubernetes clusters you have installed on servers, as well as with managed cloud provider services such as Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).

These CSPM tools proactively monitor for security best practice standards to ensure clusters and control plane security groups are not exposed to the public internet through misconfigurations. There are also container network interface (CNI) plugins that offers the ability to apply granular rules like a firewall, but based on Kubernetes namespaces, pods, and tagging. And you can adapt these rules to your changing workloads over time.

Admission controls are another consideration. These inspect new pods as they’re deployed, to check you’re following the right rules for naming and labeling, screen for any known vulnerabilities, and confirm the correct security levels are attached. Then they monitor your pods, to make sure they’re aging gracefully over time.

For most organizations, it takes a patchwork of solutions—including workload, identity, and cloud security posture management as well as code scanning—to secure the whole Kubernetes stack. Several Sophos solutions are helpful here; most notably Sophos Cloud Optix, our Cloud Security Posture Management solution, and Sophos Factory, for DevSecOps automation, with Linux/container workload detection and remediation coming soon.

Coordinating this combination of solutions is possible, too. Calico is a popular component which lets you manage and apply consistent policies across your Kubernetes space—and if you’re operating in a pure Kubernetes environment, that can work well.

But if you want to align those policies with your work outside Kubernetes, you’re probably going to want something more.

Integrating Kubernetes into your synchronized cybersecurity plans

Treating Kubernetes as a separate, special case feels anachronistic at a time when other parts of cybersecurity are becoming increasingly synchronized.

Organizations are seeing the benefits of coherent policies, administered from a central point. It doesn’t just save time and money; it also reduces the potential training gaps, inconsistencies, and human error that can come from managing too many different technologies with limited headcount and resources.

To realize those benefits, and bring Kubernetes into line, you’d need a scalable, web-native firewall that can protect multiple Kubernetes clusters, alongside traditional workloads on other cloud platforms.

You’d have to be able to spin it up within Kubernetes, and have it understand all the relevant namespaces, tags, and pods. And you’d want to be able to control it from your central cybersecurity console, in a way that feels familiar for your IT and security team.

Right now, I don’t see anything on the market that fulfills those needs. But we’re working on it—and I hope to have exciting news for you in 2022. Watch this space!

In the meantime, if you’d like to talk about how Sophos can help you secure your workloads in the cloud—containerized or otherwise—have a word with your local representative.

By Alan Toews

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.