The Cloud Native Computing Foundation (CNCF) continues to lead the industry in supporting new cloud-native technologies. The innovative packages hosted by CNCF have seen impressive adoption rates among software teams of all sizes. One area where CNCF is especially active is security and compliance, an area seeing much development in recent years.
Security is top-of-mind due to increasing software vulnerabilities and the emergence of new global data privacy regulations. Both of these undercurrents are heightened in the cloud, where data and resources could potentially be exposed on a massive scale. As opposed to older software architectures, modern cloud-native technologies come with nuances that require new approaches to security.
Below, we’ll take a look at six of the most popular security and compliance projects under the CNCF umbrella. These tools can help teams apply policy management, check CVEs, ensure regulatory compliance, protect web traffic, secure frequent software patching, automate TLS issuances and other vital actions. Most packages below are designed for Kubernetes and offer integrations with popular cloud-native infrastructures.
1. Open Policy Agent (OPA)
An open source, general-purpose policy engine.
Developed by Styra, Open Policy Agent (OPA) offers a way to provide a universal policy engine across your entire stack. This decoupled nature makes it easier to apply fine-grained policy controls across containers, Kubernetes, APIs, service mesh or at the application level.
OPA relies on a unique high-level declarative language. Using this language, engineers can specify policies across all create, update and delete operations. This is helpful to ensure provenance is trusted and lock down access to only those with correct authentication credentials.
2. The Update Framework (TUF)
A framework to secure the software update process
Updating large software ecosystems is complex. Apps require nearly constant updates and the systems that control software updates are prone to attack. For example, attackers could provide a similar-looking file with malicious code, an older version or a newer version with exploits. The Update Framework (TUF) assists in securing this software update process.
FUS is a layer that protects software update systems. It focuses on discovering and downloading the update while stopping attacks along the way. It does so by using “verifiable records about the state of a repository or application.” This metadata about signed trusted keys is used to then confirm the authenticity of updates.
Different software update systems can use TUF—it’s flexible to accommodate application updaters, library package managers and software package managers. To get started with TUF, check out the getting started guide, or install the Python implementation as described here. CNCF hosts a graduated Python reference implementation of The Update Framework (TUF).
Cloud-native runtime security
Cloud-native environments like Kubernetes are prone to many types of threats. Thus, developers and SREs continue to incorporate more automated threat detection to help get better visibility into production vulnerabilities.
Falco is a threat detection package that can be used to specify rules for your containers. It can scan for known common vulnerabilities and exposures (CVE) and trigger alerts to help your team respond to threats quickly. Falco ships with default rules to check for unusual behaviors such as privilege escalation, namespace changes, risky read/write abilities, unexpected network connections and other potential exploits.
Falco also provides integration with tools such as OPA, Prometheus, Helm, Kubernetes, Elasticsearch, and others. Falco was the first runtime security project to join CNCF as an incubating project and since has seen adoption by many companies including GitLab, Shopify, Skyscanner and others. Developers can peruse the Falco documentation to get started.
A project that allows anyone to have trust over arbitrary collections of data
Applications interface with a lot of data. But publishing and verifying disparate content can be risky. Most web-based applications now use TLS, but this approach can be flawed if the server is compromised. Notary, based on The Update Framework, provides a method to increase security for arbitrary collections of data. The project is made up of a server and a client. It works by signing content with keys offline and posting trusted collections to a Notary server. This process can help determine the validity and integrity of incoming content. To use Notary, developers can get started with the Notary CLI.
Automatically provision and manage TLS certificates in Kubernetes
Jetstack’s cert-manager is another CNCF project growing in popularity. Cert-manager can be added to Kubernetes to automatically issue and manage TLS certificates. It can keep TLS certificates up-to-date and remove them when necessary. The package is similar to other projects such as kube-lego and kube-cert-manager. For more information, developers can read the cert-manager documentation. For a quick implementation tutorial, check out the cert-manager NGINX ingress quick start guide.
Application-level security protection with GitOps in mind
Curiefense is a comprehensive, open source security solution created by Reblaze and named in honor of the famous scientist Marie Curie. Integrated with NGINX and Envoy proxy, Curiefense protects web traffic and automatically updates security policies as new threats emerge. Curiefense’s main feature is its web application firewall (WAF) that protects against the top ten OWASP web vulnerabilities. It also provides application and API-level security. Curefiense will fit well into a DevSecOps culture, as it’s controllable using an IaC/GitOps approach.
Other CNCF Security and Compliance Projects
Amid growing security threats and new data regulations, we will likely see much further evolution in the area of cloud-native security and compliance tooling. In this post, we’ve briefly summarized some graduated, incubating and sandbox CNCF tools related to security and compliance. These six projects are gaining momentum, but they aren’t the only CNCF projects in this category.
Here are some other CNCF projects related to security and compliance. All the following projects are in the sandbox stage at the time of writing:
- Dex: An OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
- In-toto: A framework to protect supply chain integrity.
- Keylime: A scalable remote boot attestation and runtime integrity measurement solution.
- Kyverno: A policy engine designed for Kubernetes.
- Parsec: A common API abstraction layer to deliver security as a microservice.