Earlier this year, the NSA released its guidance for Kubernetes security. This was necessary because, as Brad Geesaman, Director of Cloud Security at Aqua Security, puts it, “Kubernetes by default was not leaning towards security by default in mind. It was aimed for developer happiness and velocity and operational consistency.” Geesaman continues, “There’s a lot of decisions that had to be changed over time to make it more secure by default. It’s still not all the way where we should probably be, but a lot of work is being done in that regard.”
This new guidance, according to Geesaman, “toes the line decently between the cluster administrators, the system operators, and the security teams or the blue teams, the defenders who are in charge of operating these clusters.” He gets a bit more specific on this when he says, “But the first couple of paragraphs where they’re saying, ‘Hey, here’s the threat model.’ That’s something a CISO would want to be aware of and understand why the cluster owners may be asking for time to implement certain features and how that relates to compliance or the overall security posture.”
As to core features of the guidance, Geesaman touches on it when he says, “I think it’s important to understand that what they’re calling out are the specific things you want to restrict in a pod configuration and they’re done with a different implementation between the two.” Geesaman adds.
Geesaman believes people should care about this guidance because “whenever somebody like the NSA puts out guidance like this, it tends to be well trusted and well leveraged.” He adds that those who follow this guidance can be rest assured that they implemented things in a way recommended by NSA and they are covered.
Geesaman concludes with, “I think there’s a good balance there of high-level guidance and things you should be aware of. But there’s a lot of implementation-specific details. And I think that’s where folks like Aqua can help out.”
This summary was written by Jack Wallen.
Topics we discussed include:
- How different were early days of Kubernetes as compared to Docker containers? Were a lot of sensitive industries apprehensive about using docker containers from a security perspective?
- There are two aspects of security in the Kubernetes world: People and Technology. Which one is more challenging to deal with? People or Technology?
- Let’s talk about what is this guidance is all about? What are they trying to do here with this guidance?
- Who is this guidance meant for – government usage of anyone who is dealing with Kubernetes?
- Geesaman talks about some of the key features of the guidance.
- Who is the target audience? CISOs or Developers?
- Is this guidance complete or there is still see some missing things or room for more information?
- Are there certain things that are at a different stage in the priority list even in terms of Kubernetes security, depending on the industry a company operates in? Or are there certain baselines common to everyone?
- Do you see the industry leveraging this report and based on it creating its own recommendation as not everyone lands up on NSA’s guidance page?