Beyond the Cloud: Kubernetes Security Insights from Google and Snap

Beyond the Cloud: Kubernetes Security Insights from Google and Snap
May 17, 2023

Kubernetes, the titan of cloud infrastructure, is rapidly transforming the way we think about and navigate the vast realm of the cloud. Despite its skyrocketing popularity, Kubernetes also presents a labyrinth of complexities when it comes to security. This has necessitated a paradigm shift away from traditional cloud security measures, pushing us into uncharted territories.

In a recent Deepfence webinar, "Demystifying Kubernetes Detection and Response," leading security luminaries from tech giants Google and Snap unraveled the intricacies of Kubernetes security. They not only spotlighted the limitations of conventional cloud security tools but also championed the need for Kubernetes-tailored security strategies.

In this blog, we will take you on a journey into the heart of these insights, illuminating why Kubernetes is a world that demands a unique approach to detection and response. We'll unravel how to navigate this challenging landscape effectively, transforming Kubernetes security from a daunting challenge into a navigable roadmap. Fasten your seatbelt for an exploration into the brave new world of Kubernetes security!

Kubernetes Security has Specific Challenges that Traditional Cloud Security Tools are Ill-Equipped to Handle

First, it's crucial to consider configuration management, which often poses a unique challenge in Kubernetes environments. Human error is frequently the cause of data breaches, and a misconfigured Kubernetes setup can lead to significant security issues. Therefore, ensuring that configurations are accurate and secure is paramount. Kubernetes has powerful functionality that can require significant configuration to ensure secure and scalable applications. Therefore, it's necessary to understand the implications of different configuration options and avoid using default configurations until their security implications are fully comprehended. Additionally, applying the CIS Benchmarks for Kubernetes can provide useful guidance for hardening the environment and ensuring continuous adherence to best practices​.

Second, container images in production Kubernetes clusters face new security challenges, including potential breaches via stolen credentials, compromised images in the registry, application vulnerabilities, and more. It's crucial to adopt a multi-pronged approach to protect Kubernetes clusters and workloads at runtime, using automated process discovery and behavioral baselining, among other strategies. This can help to quickly identify and respond to threats in real time, ensuring that security incidents are promptly addressed​​.

In the webinar, Demystifying Kubernetes Detection and Response, Iman Ghanizada, Global Head of Autonomic Security at Google Cloud, Nick Reva, Head of Corporate Security Engineering at Snap, and Sandeep Lahane, CEO/Founder of Deepfence, answered the question: "When running a large Kubernetes fleet, what are some challenges where traditional cloud security tools like CSPM miss the mark?"

The security leaders gave insights into why traditional configuration management tools that look at the cloud context of an environment (traditional CSPM) is not enough. Traditional CSPM tools, designed to regulate compliance and configuration controls at the cloud level, are no longer adequate. They fail to grasp Kubernetes-specific concepts like service meshes, labels, and namespaces, making them unfit for hardening Kubernetes-specific configurations or performing appropriate compliance checks. One critical policy that CSPM tools overlook is Role-Based Access Control (RBAC), a Kubernetes-specific policy that operates at the intra-house or room-level, as opposed to the house-level policies that CSPM tools focus on.

This makes it imperative to have Kubernetes-specific posture management capabilities (KSPM) within your arsenal. To effectively secure Kubernetes clusters, the spotlight must be on Kubernetes-specific security tools like Kubernetes Security Posture Management (KSPM). These tools dig deep, querying Kubernetes EPS servers for low-level data collection on Kubernetes components. They also understand that Kubernetes clusters are immutable, meaning the container infrastructure is unchangeable once created. This nuance makes the detection and response to security incidents more challenging than with traditional cloud infrastructure, a challenge that KSPM tools are designed to meet head-on.

Upon deploying containerized images into production Kubernetes clusters, new security issues emerge. Potential threats at runtime include stolen credentials, compromised images in the registry, application vulnerabilities, exposed dashboards, and kubeconfig files. These can be used by malicious actors to breach your environment, establish persistence, gain additional access, execute malicious code, or hijack or destroy resources. To protect against these risks, a multipronged defense-in-depth approach is recommended. This includes combining automated process discovery and behavioral baselining with processes allowlists to identify anomalous behavior, as well as using predefined threat profiles to quickly identify and respond to common threats like cryptocurrency mining and privilege escalations.

Third, preventing the deployment of images or containers with known vulnerabilities is a critical step in securing Kubernetes. A comprehensive vulnerability detection solution should identify vulnerabilities by specific language packages and each container image layer. By integrating such a solution early into a CI/CD pipeline, it's possible to lower the security risk significantly. Running on-demand vulnerability scans can also help to detect newly discovered vulnerabilities promptly and understand the impact of insecure containers, allowing for prioritization of remediation efforts​​.

Lastly, adhering to industry compliance standards is essential. Most standards, such as HIPAA or PCI-DSS, provide a broad framework but leave it to the organization to determine the right controls. By following the CIS Benchmarks for Kubernetes, an organization can have an advantage in achieving compliance with other industry regulations, as they cover core security standards such as networking and workload isolation, vulnerability detection, access control, and data protection using cryptography. This can make the process of passing a security audit smoother and less costly​​. Despite these benefits, compliance professionals often find it challenging to create effective compliance requirements for Kubernetes environments. KSPM tools can ease this struggle by providing baseline security measures and even mapping to certain industries like Financial Services and Healthcare.

Enhancing Security through Signal Design Curation and Refinement in Kubernetes

In the quest for robust Kubernetes security, one of the more distinct approaches revolves around signal design curation and refinement. This process, which may seem intricate at first glance, essentially focuses on the creation and ongoing improvement of mechanisms that can effectively detect and respond to various threats.

The threat model for Kubernetes security should inherently be container-centric. This means that the security threats and defenses are built around the unique characteristics and vulnerabilities of containers. To aid in this process, one powerful tool at our disposal is the MITRE ATT&CK framework. This globally-accessible knowledge base of adversary tactics and techniques is based on real-world observations. It includes over 30 controls, each outlining a specific adversary behavior, which can be used to understand and create defenses against potential threats.

For example, the MITRE ATT&CK framework identifies 'Resource Hijacking' as a potential adversary behavior, where an attacker might use the resources of a system (such as computational power) for their own purposes, like cryptocurrency mining. In a Kubernetes context, understanding this threat can lead to the creation of specific signal designs to detect unusual resource usage in containers, which could indicate a potential breach.

Prioritizing Kubernetes Security Posture Management (KSPM) and runtime security is also a critical aspect of securing Kubernetes. CSPM tools can help organizations identify and remediate risks in their cloud environments, ensuring configurations align with best practices.

Furthermore, technologies like eBPF (Extended Berkeley Packet Filter) can be employed to enhance security. eBPF acts as a bridge between applications and the kernel, intercepting system calls and providing invaluable insights into system behavior. For instance, it can capture the context of a system call, such as a process attempting to open a file, and feed this data into an analytics engine. This can help in identifying anomalous behavior, such as a container trying to access a file it shouldn't, providing a powerful means to detect and respond to potential threats. It also helps organizations move beyond detection of IOCs or IOAs and into protection mechanisms. You can read more about how Deepfence uses eBPF for in-line protection here

The Imperative of Pod-Level Observability Signals in Kubernetes

As we delve deeper into the nuances of Kubernetes security, it becomes apparent that achieving a high level of observability at the pod level and adding context to logs are key to enhancing the security posture. This means we must begin to think about signal curation not only in terms of TTPs but the appropriate context into that TTP whether it be cloud, network, and/or application context. Traditional logging systems, while effective for certain use cases, often fall short when dealing with the unique challenges presented by Kubernetes environments. These systems typically lack the ability to provide specific context about the state of workloads running on each pod in a Kubernetes cluster. This can make it difficult to understand the cause and effect of certain events or anomalies detected in the system.

Pod-level observability, on the other hand, offers a granular view into the state of runtime workloads. For instance, it can provide insights into the performance and health of individual containers within a pod, network communications between pods, and even finer details like CPU usage or memory consumption of individual containers. This high level of detail is invaluable when it comes to detecting and responding to potential security threats.

For example, if a container within a pod starts consuming an unusually high amount of CPU resources, pod-level observability can help identify this anomaly. Coupled with contextualized logs, which provide additional information about the state of the system at the time of the event, security teams can better understand and investigate the cause of the anomaly. This could potentially reveal a security breach, such as a malicious actor using the container resources for cryptocurrency mining.

Moreover, contextualized signals can help identify patterns and correlations that might be indicative of a sophisticated attack. For instance, a series of seemingly innocuous events such as minor configuration changes across different pods, when viewed in isolation, might not raise any red flags. But, when seen in context and in conjunction, they might reveal a coordinated attack aimed at your infrastructure, applications and most sensitive data. Organizations must be able to not only utilize the cloud context signals that come from traditional CNAPPs but also build application and network context into their observability signals at the pod-level in Kubernetes environments. 

Concluding Thoughts

As we look towards the future of Kubernetes and containerized applications, it's clear that security remains a paramount concern. Despite the many benefits of this technology, including streamlined deployment, scalability, and flexibility, the reality is that we cannot ignore the vulnerabilities that arise from its use. From misconfigured settings to human error, the surface area for potential breaches is significant.

However, it's not all doom and gloom. As our understanding of Kubernetes security evolves, so too do the strategies and tools we have to mitigate these risks. Key to this is a multifaceted approach that includes vulnerability scanning, hardening of environments through best practices such as adhering to the CIS Benchmarks, and the integration of security policies into CI/CD pipelines. These practices can significantly reduce the risk of breaches, enabling us to harness the power of Kubernetes without undue concern for security.

Furthermore, the shift from a traditional server-based architecture to serverless computing, while introducing its own challenges, holds potential for a new level of security and efficiency. The serverless approach eliminates the need for server management, allowing developers to focus more on application development and less on managing the infrastructure. However, it's crucial to remember that this doesn't absolve us of our security obligations - serverless architectures come with their own security concerns, such as potential for greater attack surface and challenges with debugging and testing.

In conclusion, navigating the landscape of Kubernetes security can be challenging, but with a robust and proactive approach to security, we can overcome these challenges. By combining knowledge of potential risks with a commitment to continuous security improvements, we can create secure, efficient, and resilient Kubernetes environments that drive our technology forward without compromising on security. Remember, security isn't a one-time event but an ongoing process, and in the ever-evolving world of Kubernetes, staying vigilant and up-to-date is the key to success.