Viswa Venugopal, staff software engineer at StackRox, says given the prevalence of misconfigured Kubernetes clusters it’s apparent there is a need for a security tool that IT teams can employ before a Kubernetes cluster is deployed. Written on the Go programming language, Kubelintr accomplishes that goal in a single binary file that IT teams can run in a command line, he says.
Longer term, StackRox plans to add auto-remediation capabilities to Kubelinter that IT teams can employ as they best see fit depending on the impact those changes might have on their applications. Many existing clusters are running older versions of Kubernetes that were not designed to support security capabilities that have been included in the more recent versions, notes Venugopal.
Configuration issues among early adopter of Kubernetes clusters have become an issue because of the complexity of the platform. Most developers who have spun up Kubernetes clusters are primarily focused on simply getting the platform to run. As such, they often overlook the fact that the default setting for Kubernetes are fundamentally insecure. Security settings are not turned on by default because it adds additional complexity to a platform many IT teams are already struggling to master, he says.
KubeLinter provides an automated means to carry out configuration checks as part of a continuous integration (CI) workflow that makes it easier to track how changes are proposed and made to YAML files and Helm charts, he adds.
A recent survey of 400 IT and security professionals conducted by StackRox finds human error to be the main cause of most Kubernetes security incidents, with misconfigurations contributing to roughly 67% of the incidents reported by survey respondents. A total of 90% of respondents report they experienced a security incident in their container and Kubernetes environments over the last 12 months, with 44% noting they delayed moving an application into production because of security concerns.
Despite misconfiguration issues, the rate at which Kubernetes clusters are being deployed continues to accelerate as organizations look to deploy microservices-based applications that are both more flexible and resilient. Many of those applications are driving digital business transformation initiatives that require applications that can also be more easily updated as business conditions change.
The challenge organizations face is cyber criminals are also tracking this transition. Tools for scanning for misconfigured Kubernetes clusters are readily available. The paradox is that some of the most strategic applications any organization has deployed in years are running on Kubernetes clusters that are often misconfigured.
It may be a while before best DevSecOps practices evolve to point where misconfigurations of Kubernetes clusters become less of an issue. However, as more tools to address the issue become available, it may now only be a matter of time before most IT teams are configuring Kubernetes clusters right every time they are deployed.