Accurics Applies Policy as Code to Secure Kubernetes Clusters

Accurics is employing policy as code to address a Kubernetes vulnerability, using its Terrascan tool for securing infrastructure as code.

Terrascan is Accurics’ open source, static code analysis tool that allows developers to build infrastructure as code.

A previously disclosed CVE-2020-8555 vulnerability, if left unpatched, enables cybercriminals to exploit a Server Side Request Forgery (SSRF) vulnerability to allow the attacker to use the kube-controller-manager to make GET or POST requests.

Om Moolchandani, chief information security officer (CISO) and CTO for Accurics, notes that the vulnerability has been patched in the most recent versions of Kubernetes. However, there are plenty of instances, based on older versions of Kubernetes, that, for one reason or another, can’t yet be upgraded, Moolchandani says.

To mitigate the threat, IT teams must prevent untrusted users from creating pods that mount volume types such as GlusterFS, Quobyte, StorageOS, ScaleIO, and then restrict write permissions for StorageClass. Accurics has simplified remediation of the issue by adding a security policy as code that leverages open source Open Policy Agent (OPA) software developed under the auspices of the Cloud Native Computing Foundation (CNCF).

Kubernetes provides different options to define a pod specification, such as Deployment, ReplicaSet, Job, DaemonSet, StatefulSet and Cronjob. Implementing the policy in Terrascan will protect against all the relevant options, Moolchandani says.

IT teams should always update their Kubernetes clusters to stay current with the latest security patches, but Moolchandani notes there are times when that might not be possible. Employing policy as code within the context of a DevSecOps process provides an effective mitigation technique in the meantime, says Moolchandani.

IT team can also employ Terrascan to identify configurations that are vulnerable to the CVE-2020-8555 vulnerability before they are deployed, Moolchandani says. In addition, Moolchandani says IT teams can leverage policy as code in runtime controls, such as admission controllers, to protect clusters at runtime.

As the number of Kubernetes-related security issues increases, Moolchandani says Accurics will add additional policies to enable IT organizations to manage Kubernetes security as code whenever possible.

This approach might, in fact, reduce the need for Kubernetes security fire drills. Depending on a threat’s severity level, IT teams will have to decide when to upgrade a cluster based on perceived risk. However, as it becomes easier to apply policy as code, disruptions due to Kubernetes vulnerabilities could be considerably reduced.

In the meantime, organizations that are deploying microservices-based applications, especially those that are based on containers running on Kubernetes clusters, have to embrace DevSecOps best practices. Containers are some of the most complex platforms currently in enterprise IT, and the chances of misconfigurations on a Kubernetes cluster are high. Policy as code creates an opportunity for DevOps teams to assume more control and responsibility for security and opportunities to better collaborate with cybersecurity teams. Otherwise, security professionals, unsure how to secure Kubernetes clusters, will remain wary of the technology.