Kubernetes security has become the focal point for protecting cloud-native workloads among enterprises as they deploy containers and microservices in production.
Initially, container security specialists such as Aqua, Twistlock and StackRox focused on scanning container images within the DevOps pipeline, then added container runtime scans for live production environments through agents deployed on individual hosts.
More recently, however, such tools have shifted their focus to the overall Kubernetes platform, adding network-based security controls and policy-driven mechanisms. A new crop of players such as Octarine has also emerged; they plug in to the network service mesh layer of Kubernetes environment to deepen security visibility.
This trend reflects growing maturity at enterprise firms as they address the far-reaching security implications of deploying microservices via Kubernetes.
“With microservices and containers in general, there’s opportunity to multiply your security risk exponentially, and they multiply the number of points [in the infrastructure] that need to be analyzed,” said Jason Harris, VP of cloud architecture at Aptos, an Atlanta-based software maker for retailers. “Kubernetes is our means of delivering microservices, and we’re looking at it as a way to deploy applications securely as well.”
Aptos first rolled out container-based microservices in support of their customers’ retail point-of-sale (POS) systems in late 2018. But in the latter half of 2019, Aptos started to look for a tool that could specifically automate Kubernetes security. It reviewed products from Aqua, Twistlock, Qualys and StackRox, and ultimately chose StackRox.
The StackRox tool beat out incumbent IT security vendor Qualys, which has features for container image scanning, because of its focus on container runtime security in the context of the Kubernetes platform, Harris said. Some Qualys container runtime features are still in beta.
Jason HarrisVP of cloud architecture, Aptos Retail
“Microservices are really layers of containers that deliver a service, and those contain open source components or there may be rogue containers,” Harris said. “[Within] Kubernetes in general, [resources] move, and that’s where StackRox adds value: looking into Kubernetes in addition to the containers.”
The StackRox approach to Kubernetes security integration was another selling point for Aptos over competitors that also offer container runtime scanning, such as Twistlock and Aqua. StackRox deploys as a privileged DaemonSet within Kubernetes clusters, which Aptos favored as a simpler approach to Kubernetes security setup.
“When we deploy a new cluster, it’s just wrapped into that process,” Harris said. “Once you establish that DaemonSet in the cluster, any new nodes are going to inherit the daemon automatically.” The more complex alternative would require StackRox to be deployed as a privileged container on each host.
Kubernetes security visibility improves compliance
Users of Kubernetes security products based on host agents deploy them to nodes automatically through infrastructure as code (IaC) tools such as Terraform, but StackRox also offered strong visibility into Kubernetes cluster configuration. This has helped Aptos with regulatory compliance in addition to Kubernetes security, since it can easily show auditors a comprehensive view of its environment.
“StackRox recently added a configuration management app that we’ve gotten far more value out of than we expected, because it’s turning into a good reporting tool on our Kubernetes ecosystem,” Harris said. “It’s hard to have visibility into just even simple things like the number of clusters [in production] and the number of nodes [within them], and what’s my Kubernetes version on all those clusters?”
Challenges in Kubernetes security and security for microservices remain, as cloud-native technology continues to evolve at breakneck speed and retail customers demand microservices-based mobile apps. Such apps will require Aptos to support publicly hosted mobile app store APIs and customer payment data, upping the microservices security stakes.
Any kind of change presents security risks, but as with other enterprise container users, Aptos believes the combination of IaC automation for Kubernetes deployment and policy-based Kubernetes security automation improves its security posture over tools it used with traditional monolithic applications.
“The visibility and the control we have in this world far outweighs the drift that you had in the older world,” Harris said. “I’ll take the problems in the new world any day over our legacy challenges.”
While Kubernetes security was the main selling point for StackRox, Harris said he’s looking forward to upcoming improvements in the tool’s container scanning features for images within container registries, which has lagged that of some other container security specialists and container registry tools such as Red Hat Quay.
“The view we needed was, ‘OK, show me this vulnerability across all my images, and if I flip to an image, show me any vulnerabilities above a certain level,'” he said. “Hopefully, we’ll get there soon.”
A StackRox feature that shows vulnerabilities in container images within a registry, including their severity level, was previewed at KubeCon in November, and will become generally available this month, a company spokesperson said.