On December 10, 2019, the Net4All team had the pleasure of organising a meetup at Geneva Impact Hub, whose topic was: Is Kubernetes compatible with security?
Feedback from our experts has been very positive. Our objective? To better understand the security issues related to today’s hottest technology!
Delighted with the very positive and constructive feedback, Net4All decided to share the content of the workshop.
Click the image below to go to our presentation:
In just a few years, Docker, the most popular containerization mechanism, has established itself as an ideal solution for testing all kinds of applications. Today, this technology is widely used by companies of all sizes.
Previously, the possibility of using Docker to publish to a production environment was excluded. In the meantime, several orchestration solutions have emerged, such as Swarm and MEOS. However, the solution that has established itself as the de facto standard for container management is: Kubernetes
Kubernetes: A technology that makes the news
To better understand why Kubernetes has conquered the market, let’s go back to the origin of its creation. This tool was born at Google and went through several stages of evolution: Borg, Omega, then finally Kubernetes! Very quickly, a large community became interested in this technology: Red Hat, CISCO, IBM, Docker. Today, all of these players maintain the platform in operational condition: orchestration of deployment, containers and network configuration.
Why Kubernetes ?
Today, Kubernetes makes it possible to transform containerisation tools into a large-scale deployment platform. “The main advantage is that it allows you to integrate deployment processes with regard to continuous integration/development in order to evolve your application by moving through the development, staging and production phases in a controlled manner. * ” Kévin CHOLLET
How is this orchestration made possible? The cornerstone that enables this orchestration is comprised of several types of software that form what is referred to as the Kubernetes master. Each master consists of:
- A storage system key / value (etcd)
- An API server that will receive the instructions given to the cluster
- A controller manager that keeps resources in the desired state
- A scheduler, which will launch the containers on the hardware environments or virtual environments that best suit the containers’ needs*
Kubernetes and Security: a possible duo?
The emergence of new technologies, such as Kubernetes, profoundly methods, and particularly deployment transforms development methods. A new competency profile is created: DevOps / DevSecOps. The roles of developer and sysadmin have never been so closely linked, a fact that obligates your employees to redouble their vigilance on certain subjects, such as:
- Default settings: They are not secured, so access given to the containers must be restricted to the extent possible.
- Network communication: Network communication between different parts of the application must be restricted through network policies to ensure better security. For example, a showcase website application and an ERP should not be able to communicate freely.
- Images used in the cluster: Be careful where they come from because not all images are checked and they could have malicious programs or non-updated programs with vulnerabilities.
- Likewise, ensure that you secure the API entry point via a firewall or VPN.
It is also important to plan the cluster updates, wholly in accordance with availability objectives, as it is quite possible that part of the cluster will be unavailable during the updating process. Consequently, it is preferable to have a secondary cluster in order to provide service during the upgrade phases (if your availability objectives are 100%).
Finally, the idea that the system works by itself and is infallible, is a misconception. Therefore it is essential to comply with the good security practices cited above, and with any other good use practices. Kubernetes does not protect code that has security vulnerabilities.
This is one of the first times that I have attended a conference that addresses the security angle of Kubernetes.
Very interesting, the demo was excellent.
Very good level of exchange, meetup very pleasant!