What Will It Take to Shift Kubernetes Security Left?

Considering Kubernetes security must come earlier in the development journey

Interest in Kubernetes has skyrocketed. A recent CNCF study found 84% of companies run containers in production, and 78% are using Kubernetes in some form.

Kubernetes has flourished into a well-adopted container configuration solution. Yet, security for these environments is not always top-notch. A 2020 StackRox survey found that only 6% of Kubernetes users did NOT have a security incident in the last 12 months. Misconfigurations, runtime incidences and major vulnerabilities are quite common on the platform.

For experts in the Kubernetes arena, securing the platform involves shifting security left. In other words, security forethought must come earlier on in the development journey, with policy-driven automation in place to detect potential issues. I chatted with Michelle McLean, vice president of marketing at Salt Security, to discover what Kubernetes adopters require to truly “shift security left.”

It’s Been a Long Journey To DevSecOps

It’s important to remember that DevOps is still a new concept for many enterprises. It wasn’t until the last 10 years that Dev and Ops begin to merge. Before then, there were “regimented handovers between disciplines,” says McLean. In other words, disciplines were siloed.

DevOps has gathered steam due to the agility benefits inherent in bridging these worlds. Yet, only until recently, security has been left out of the picture. DevSecOps has created a “new opportunity to do what sounded like a pipe dream,” she notes.

Now, with the rallying around Kubernetes, McLean sees the incredible power it can have on security. “The notion of immutability, and being a declarative technology—that is cool for building,” she says. She advocates using those same principles of immutability and declarative properties to start security right at the beginning.

The Kubernetes Security Learning Curve

Kubernetes is proving tricky for end developers to fully understand, requiring specialists or even additional UX layers to operate. Naturally, when technology is misunderstood, it’s easy for security to fall by the wayside.

“We’re on a learning curve,” McLean says. “We’re learning how to run Kubernetes at the same time we’re leaning to secure Kubernetes.”

As IT introduces new technologies, the number of attack surfaces continues to escalate. Keeping security resilient throughout a confluence of API-enabled microservices, container exploits and Kubernetes vulnerabilities can be intimidating.

Though these forces appear daunting, McLean views the current moment as a unique opportunity. “Having a confluence of process and technology can let us weave together dev and security,” she says.

How to Shift K8s Security Left

So, what will it take for an organization to shift Kubernetes security left? Abilities to automate security should be democratized, yet the onus is still on security teams to “define guardrails and apply the right controls,” McLean says. To shift Kubernetes security left, we need a combination of:

  • Policies: Security teams should have controls in place and establish policies across the board.
  • Integrative Security Tooling: Security tools must integrate into CI/CD tools developers are already using. This can enable instant vulnerability detection and remediation before build.
  • Developer Experience: Security resources must fit into the developer’s world and their established workflows.
  • Great Error Messages: Opaque policies are not enough. Developers need human-readable messages alongside their code and actionable instructions to quickly remediate errors.

When it comes down to it, it’s security’s job to set the guardrails. “Nobody wants to build insecure code, but if there is no explanation, developers will go around you,” McLean says, noting in this case, it’s not really the developer’s fault. “It’s really that security needs to understand what controls are relevant.”

For example, Kubernetes doesn’t apply security controls by default; it’s “default allow.” Keep network segmentation in mind when moving from an isolated workstation into production.

Final Thoughts: Leveraging the Innate Power of K8s

As Kubernetes adoption grows, so does the significance of securing the platform. Certainly, more work is required to ensure pods and clusters are safe from intrusion.

McLean adds that Kubernetes can be utilized as a lingua franca. “If it’s how you’re managing your infrastructure, you should use it to manage your security too.” In essence, use what’s already there. “Kubernetes can weave everything together to make microservices work but have segmentation in place.”

By smartly leveraging the innate power of Kubernetes, along with companywide policies, integrated tooling and transparent error messaging, the shift-left philosophy starts to materialize.

In general, McLean places responsibility on security teams to ensure developers can safely leverage the agility of new tools. “We have to face reality: app innovation is the core of any business success.” With that in mind, businesses must do everything to enable developers and reduce friction as much as possible.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 86 posts and counting. See all posts by Bill Doerrfeld