Containers and Kubernetes are pushing teams to rethink their security strategies and bring in security as early in development as possible – what’s known as a “shift left” mindset. This allows you to rely on automation to nip problems in the bud, rather than waiting for a crisis.
Orchestration and containerisation can help with compliance and security during your shift left. Even security policy enforcement can benefit from the shift-left mindset, so compliance also benefits.
Read on for three ways you can use Kubernetes to automate your security and compliance.
1. Perfect your configurations
Kubernetes has plenty of security features, but don't rely on the default settings. It’s a complicated system with a lot of options, some of which could even cause a security risk if you leave them on the default settings.
Start your automation process by configuring these processes properly. It can help to use something like Red Hat OpenShift or another commercial platform constructed on top of the open-source project.
You can apply security best practices automatically at many levels of Kubernetes, from clusters, namespaces and pods to deployment or service.
2. Automate detection and policy enforcement as far as possible
Once you’ve got your operating infrastructure properly automated, try doing the same with security. This is crucial to container security and also to Kubernetes security.
Kubernetes environments are meant to work with declarative APIs that let you configure infrastructure securely as you provision it, and configure applications securely as you build and deploy them. That means security policy too can be managed as code.
Try to use this tactic together with behavioural or machine learning as much as possible to support your shift-approach to security. This will make it easier to bring in workload security policies at the beginning of the development process, so your environments will be protected from the word go.
One thing it’s vital to automate is vulnerability scanning at runtime. Don’t just scan the containers, scan the host and Kubernetes itself too. It’s also vital to automate your networking segmentation, and this might actually be a regulatory requirement in some industries. And rightly too: in a containerised environment, you really don’t want to be scrambling to adjust firewall rules manually to every new threat.
You can even manage Kubernetes using Kubernetes operators themselves to automate your security needs. For instance, you can use its declarative nature to manage drift by resetting unsupported configuration changes.
3. Automate your compliance checks
Kubernetes is a dynamic environment, so your security needs to keep evolving. That means you need to keep continuously testing how well it adheres to industry standards and benchmarks. Luckily, you can automate that, too.
The CIS Kubernetes Benchmark is a useful standard to test against. It’s a free checklist of a couple of hundred secure configuration settings and best practices. This would be a bit much to check against manually, but there are free open-source tools, like Aqua’s kube-bench and Neuvector’s script set, that will do it for you. Red Hat OpenShift Container Platform 4 will meet most of the standards by default but leaves some of them to your discretion.
It’s worth checking out Aqua’s other open-source offerings too. They include kube-hunter, which tests your security by simulating attacks and offering you advice on how to close any security gaps it finds, and Starboard, a toolkit for safely installing Kubernetes.