Kubernetes have become a standard in cloud native software as it pertains to containers. In fact, the Cloud Native Computing Foundation’s (CNCF) most recent survey found that Kubernetes use in production has grown to 78%. However, like with any technology that surges in popularity in a short amount of time, there is plenty of confusion around what Kubernetes is and what security considerations come with Kubernetes and containerization. Case in point: in the CNCF same survey, 40% of respondents mentioned security as a challenge with container use/deployment and 38% called out complexity as a challenge.
For security engineers tasked with hardening container deployments, there is definitely a learning curve to overcome. To help you get up to speed, we’ll take a look at what Kubernetes is, how it works, and explore some basic Kubernetes security concepts.
Kubernetes is a platform used to orchestrate and manage container workloads (e.g. Docker containers).
Since its initial release in 2014, Kubernetes — an open source CNCF graduating project with roots tracing back to Google’s development team — has become one of the most popular tools in DevOps and cloud native circles.
A prerequisite to understanding Kubernetes is first understanding containers. In a nutshell, containers are lightweight software packages that include all the dependencies an application needs to run. Containers solve the problem of reliably running applications in different environments. Because they are lightweight and portable, containers have surged in popularity and are vital to the development of modern microservices and web applications.
While using a single container doesn’t require much management and orchestration, large applications need to be able to scale. Modern development teams need to be able to automate and scale the process of container deployment. This is where containerized workload management tools like Kubernetes come in. Kubernetes provide the missing management and orchestration.
The phrase “management and orchestration” gets thrown around a lot when discussing Kubernetes. However, that doesn’t tell us much about the specifics. In simple terms, what that means is Kubernetes enables load-balancing, configuration management, configuration of storage resources, automatic resource allocation (e.g. CPU and RAM per container), and the scaling up or down of container deployments.
There can be plenty of confusion around the topic of Docker vs Kubernetes. However, it’s actually quite simple:
That last point is what can lead to some of the confusion. Docker just so happens to offer a tool — Swarm — that provides similar functionality to Kubernetes. However, Kubernetes is by far the more popular management and orchestration tool.
In addition to containers, there are other important concepts to understand when getting started with Kubernetes. Let’s take a look at some key terms:
Kubernetes can be useful effectively anywhere an infrastructure-as-code approach to container deployment can be useful. This means Agile development teams and teams with a focus on DevOps practices will often use Kubernetes to help automate their continuous integration/continuous delivery (CI/CD) pipelines. Additionally, Kubernetes can help auto scale cloud native applications by monitoring the health of nodes and resource utilization and scaling up or down as needed.
Of course, while Kubernetes adds value from an automation and scalability perspective, it also adds a new wrinkle for security teams. How can you ensure your apps and services are deployed securely? As always, this begins with understanding your threat model and risk appetite, but there are a few basics to help you get started.
It’s also vital to have a plan for container visibility and vulnerability scanning to scanning ensure issue remediation occurs quickly and you remain compliant to any relevant standards. To get started with container vulnerability scanning and security posture assessments, we recommend reading Continuous Container Visibility and Compliance (PDF).
Now that you understand how Kubernetes works at a high-level — controlling and managing container deployments automatically — you can take the next steps to deploy k8s securely. For a deep-dive on implementing security with containers, Kubernetes, and serverless infrastructure, sign up to view the free How to Layer Security into Modern Cloud Applications webinar presented by Cloud Security Expert Hillel Solow.