The State of Kubernetes Security in 2020
There has been a significant shift in the Kubernetes community to security topics in the past year. According to the StackRox State of Container and Kubernetes Security Report, Fall 2020, human error causes most security incidents in Kubernetes, with misconfigurations contributing to roughly 67% of cases reported by survey respondents. At KubeCon and Cloud-Native Con North America, Kubernetes security topics made up the largest percentage of overall sessions this year. The CNCF survey report in 2019 highlights security, cultural, and complexity challenges as the most significant issues facing Kubernetes adoption. It would seem that the community is looking for reasonable solutions to their Kubernetes security concerns.
StackRox took note of these issues early on in the development of our Kubernetes-native security platform. By recognizing that people and security go hand in hand, we created a platform that enables security and engineering teams to protect Kubernetes clusters. The usual implementation question remains: where do we implement security and configuration fixes? There has been a significant push to perform security checks as early as possible. The term shift left is often used to describe this movement of empowering developers to implement security controls and checks. However, this does not solve the issue of complexity and cultural challenges. With shift-left, we require our developers to understand the application, Kubernetes, security considerations, and more. This overhead cuts against the goal of using cloud-native technologies to empower developers to release software more quickly.
Download to learn about the security challenges in Kubernetes and how organizations are addressing their most critical container security use cases
Download Now
KubeLinter is an open-source static analysis tool to identify misconfigurations in Kubernetes objects. KubeLinter offers the ability to integrate security checks of Kubernetes YAML files and Helm charts before deployment into a Kubernetes cluster. The security checks validate that a Kubernetes cluster configuration follows security best practices. With standard built-in checks, developers and teams can get immediate feedback about misconfigurations and violations of Kubernetes policies. This enhances developer productivity, integrating security-as-code with DevOps and DevSecOps processes while ensuring the automatic enforcement of hardened security policies for Kubernetes applications.
KubeLinter analyzes YAML files and Helm charts and runs Kubernetes-native security checks to identify elevated access, misconfigurations, and general best practice violations. KubeLinter is a Go-based binary used on the command line or part of a CI pipeline and gives developers the necessary security checks before allowing any Kubernetes configuration changes. There are currently 19 security checks that come built into the CLI. Some examples include:
KubeLinters defaults are security-centric, so users will have to explicitly opt in to configure Kubernetes in an insecure manner. The built-in checks provided by KubeLinter can be extended to include custom checks for many Kubernetes configuration parameters. Individual checks can be enabled or disabled as well, with annotations giving the ability to pass single specific configuration checks. As an open-source tool available under the Apache 2.0 license, users can also contribute to the project by extending KubeLinter with additional checks.
KubeLinters focus on being a Kubernetes-native tool leads to the following advantages:
KubeLinter go-based CLI architecture allows it to be easily installed in existing pipelines or used on the command-line. It uses a similar package and CLI architecture as kubectl, leading to little knowledge required to test and use it. KubeLinter policies can be enabled or disabled, and the checks can be ignored with annotations. KubeLinter gives immediate feedback about how to rectify a misconfiguration or security issue. This approach to security means reasonable checks with little to no workflow changes. KubeLinter means declarative security and Kubernetes-focused security rules that can be easily accessed and viewed.
KubeLinters success will rely on the community. As Kubernetes continues to grow, StackRox views KubeLinter as a security enablement tool that simplifies security and makes the day-to-day usage of Kubernetes by community end users safer and more secure.
Watch the lead developer Viswa Venugopal talk about KubeLinter basics
Go here to read the rest:
How KubeLinter fits in the CNCF Ecosystem - Security Boulevard
- Green with Envy | How to Spot an Eco-Snob | Part III - November 8th, 2009 [November 8th, 2009]
- EcoLogo - November 8th, 2009 [November 8th, 2009]
- 5 Ways to Green Your Exercise Routine - November 8th, 2009 [November 8th, 2009]
- Seed Bombs - November 8th, 2009 [November 8th, 2009]
- Guerrilla gardening - November 8th, 2009 [November 8th, 2009]
- Green Your Morning Routine - November 8th, 2009 [November 8th, 2009]
- Environmental Benefits of Telecommuting - November 8th, 2009 [November 8th, 2009]
- Safeway Sponsors Portland Community Cleanup - November 8th, 2009 [November 8th, 2009]
- Electric Vehicle Race - November 8th, 2009 [November 8th, 2009]
- Portland Bridge Pedal 2009 - November 8th, 2009 [November 8th, 2009]
- E-waste in Oregon - November 8th, 2009 [November 8th, 2009]
- Bike Sharing in Portland - November 8th, 2009 [November 8th, 2009]
- Bucks for the Bay Challenge - November 8th, 2009 [November 8th, 2009]
- Drive to Make a Difference with MyMPG - November 8th, 2009 [November 8th, 2009]
- Bathroom Sprayers - Green your Toilet Routine - November 8th, 2009 [November 8th, 2009]
- Ubuntu OS can Save Energy - November 8th, 2009 [November 8th, 2009]
- Green Metropolis, David Owen - November 8th, 2009 [November 8th, 2009]
- Sustainable Pens: GLO Pens - November 8th, 2009 [November 8th, 2009]
- International Day of Climate Action - November 8th, 2009 [November 8th, 2009]
- Donate to Oregon Toxics Alliance - November 8th, 2009 [November 8th, 2009]
- Biomass Energy Generation Myths - November 8th, 2009 [November 8th, 2009]
- Crude The Real Price of Oil | Playing in Portland - November 8th, 2009 [November 8th, 2009]
- Pictures From 350 Climate Day in Portland - November 8th, 2009 [November 8th, 2009]
- Arcimoto Electric Vehicles in Oregon - November 8th, 2009 [November 8th, 2009]
- Urban Rooftop Wind Turbines - November 8th, 2009 [November 8th, 2009]
- Chromium 6 Emissions from ESCO in Portland - December 13th, 2009 [December 13th, 2009]
- Food Inc. Review - December 19th, 2009 [December 19th, 2009]
- Making Maps with Google Earth and Google Maps by Shane Bradt of the University of New Hampshire Cooperative Extension - March 23rd, 2010 [March 23rd, 2010]
- Demonstration of Miradi 3.1 by Nick Salafsky of Foundations of Success - March 23rd, 2010 [March 23rd, 2010]
- Advanced Mashups – KML and the Mapping API by Cary Chadwick of the University of Connecticut Center for Land Use Education and Research - March 23rd, 2010 [March 23rd, 2010]
- Demonstration of InVEST by Heather Tallis of the Natural Capital Project - March 23rd, 2010 [March 23rd, 2010]
- GIS Maps Online by Emily Wilson of the University of Connecticut Center for Land Use Education and Research - March 23rd, 2010 [March 23rd, 2010]
- From ArcGIS to Web Maps: Simple Techniques for Publishing GIS Maps Online by Emily Wilson of the University of Connecticut Center for Land Use Education and Research - March 25th, 2010 [March 25th, 2010]
- Demonstration of Marine InVEST by Anne Guerry of the Natural Capital Project - March 31st, 2010 [March 31st, 2010]
- Eliminate and Decrease Styrofoam - March 31st, 2010 [March 31st, 2010]
- Portland Plans to Spend $600 million on Master Bike Plan - April 2nd, 2010 [April 2nd, 2010]
- (Webinar in Spanish) Demostración sobre Vista 2.5 de NatureServe en línea (Webinar) por Ian Varley, Carmen Josse, y Alexandra Sanchez de Lozada de NatureServe. - April 6th, 2010 [April 6th, 2010]
- Using and Adding Your Content to Google Ocean by Charlotte Vick, Google Content Manager of Mission Blue - April 13th, 2010 [April 13th, 2010]
- End Paper Receipts - May 1st, 2010 [May 1st, 2010]
- Demonstration of CanVis by Chris Haynes of NOAA Coastal Services Center - May 6th, 2010 [May 6th, 2010]
- Demonstration of HD.gov Web Portal by Jeff Adkins from NOAA Coastal Services Center - May 13th, 2010 [May 13th, 2010]
- Demonstration of Ecosystem Assessment and Reporting Tool by Steve Schill of The Nature Conservancy - May 13th, 2010 [May 13th, 2010]
- Demonstration of Version 2.0 of the Multipurpose Marine Cadastre by Adam Bode and Brian Smith of NOAA Coastal Services Center - May 17th, 2010 [May 17th, 2010]
- CRUDE Filmmakers Subpoenaed by Chevron - May 22nd, 2010 [May 22nd, 2010]
- Demonstration of the Digital Coast Coastal Inundation Toolkit by Steph Beard, Jodie Sprayberry and Billy Brooks of NOAA Coastal Services Center - May 25th, 2010 [May 25th, 2010]
- Presentation on the Creating Resilient Communities EBM Tool Demonstration Project by Jocelyn Hittle of PlaceMatters - June 10th, 2010 [June 10th, 2010]
- Presentation on Economic Data Needed for EBM by Linwood Pendleton of Duke University - October 11th, 2010 [October 11th, 2010]
- Recycling Water - October 16th, 2010 [October 16th, 2010]
- ODOT Partners with Oregon Toxics Alliance to Reduce Pesticides - October 17th, 2010 [October 17th, 2010]
- Goats Hired to Mow Portland Lot - October 17th, 2010 [October 17th, 2010]
- A World of Health: Connecting People, Place, and Planet - October 17th, 2010 [October 17th, 2010]
- Alternative Recycling Options - October 17th, 2010 [October 17th, 2010]
- No More Bullying the Bull Trout - October 17th, 2010 [October 17th, 2010]
- 1000+ EV Charging Stations Slated for Oregon I-5 Corridor - October 17th, 2010 [October 17th, 2010]
- The Vertical Farm Concept - October 17th, 2010 [October 17th, 2010]
- Blog Action Day 2010 | Water - October 17th, 2010 [October 17th, 2010]
- Eco Districts - October 24th, 2010 [October 24th, 2010]
- Will The Nissan Leaf Thrive? - October 24th, 2010 [October 24th, 2010]
- A Green Railroad - October 24th, 2010 [October 24th, 2010]
- Biomass is not Oregon's clean-energy future as currently promoted - October 24th, 2010 [October 24th, 2010]
- Electrified Parking Spaces - October 24th, 2010 [October 24th, 2010]
- Tree Planting - October 24th, 2010 [October 24th, 2010]
- Three Tips to Reduce Your Carbon Footprint and Live Longer. - October 24th, 2010 [October 24th, 2010]
- Biomass is not Oregon’s clean-energy future as currently promoted - October 31st, 2010 [October 31st, 2010]
- Rail~Volution - October 31st, 2010 [October 31st, 2010]
- Green Streets Initiative - October 31st, 2010 [October 31st, 2010]
- Mayor Kitty Piercy and Envision Eugene - November 7th, 2010 [November 7th, 2010]
- The Willamette River Transit Bridge - November 13th, 2010 [November 13th, 2010]
- Collaborative Learning and Land Use Tools to Support Community Based Ecosystem Management by Chris Feurt of the Wells National Estuarine Research Reserve - November 14th, 2010 [November 14th, 2010]
- Portland Federal Building Begins Green Makeover - November 14th, 2010 [November 14th, 2010]
- Vestas’ New HQ in Portland Shoots for LEED Platinum - November 14th, 2010 [November 14th, 2010]
- College Degrees to Get You in the Environmental Field - November 14th, 2010 [November 14th, 2010]
- Demonstration of openNSPECT, an Open Source Version of the Nonpoint-Source Pollution and Erosion Comparison Tool by Dave Eslinger of NOAA Coastal Services Center - February 14th, 2011 [February 14th, 2011]
- Demonstration of EMDS by Keith Reynolds of the US Forest Service - February 14th, 2011 [February 14th, 2011]
- Demonstration of Habitat Priority Planner by Chrissa Waite and Danielle Bamford of NOAA Coastal Services Center - February 14th, 2011 [February 14th, 2011]
- Presentation on the Coastal Adaptation to Sea Level Rise Tool (COAST) by Sam Merrill of the New England Environmental Finance Center - February 14th, 2011 [February 14th, 2011]
- Presentation on the Coastal and Marine Ecological Classification Standard by Kathy Goodin of NatureServe - February 14th, 2011 [February 14th, 2011]
- Demonstration of Coral Reef Scenario Evaluation Tool (CORSET) by Jessica Melbourne-Thomas of the University of Tasmania - February 14th, 2011 [February 14th, 2011]
- Demonstration of Multi-scale Integrated Models of Ecosystem Services (MIMES) by Roel Boumans and David McNally of AFORDable Futures LLC - February 14th, 2011 [February 14th, 2011]
- Creating Life in the Desert - February 14th, 2011 [February 14th, 2011]