10 steps to automating security in Kubernetes pipelines - Gary Duan

DevOps teams don’t need to sacrifice the speed of containerized development if they know what can be automated, why it’s important, and how to do it


By Gary Duan, InfoWorld | MAY 27, 2020

Kubernetes pipelines face an ever-increasing range of threats that demand more integrated and automated security across the application lifecycle. Making things more complex, critical vulnerabilities can make their way into any stage of the pipeline: from build to registry to test-and-staging to (especially damaging) production environments.

One of the biggest roadblocks to effective Kubernetes pipeline security has been investing the time to get it right. The purpose of using containers is increasing the velocity of release cycles, enabling more up-to-date code and better features with better resource stabilization. Any manual efforts to inject security into this pipeline risk slowing that speed and preventing the benefits of a container strategy from being fully realized.

[ Also on InfoWorld: What is CI/CD? Continuous integration and continuous delivery explained ]

DevOps teams simply can’t afford to slow down the pipeline. This is why automation is not just crucial, but also the most realistic way to ensure container security.

Kubernetes pipeline overview

Taking a step back, this is a simplified view of the Kubernetes pipeline, and some of the top threats at each stage:

kubernetes security 01NeuVector

New vulnerabilities can be introduced as early as the build phase. (Open source tools, in many cases, have been the culprit for adding previously-unknown attack surfaces.) In a registry, even when you’ve successfully removed vulnerabilities in the build phase and stored a clean image, a critical vulnerability might be discovered later that is affecting that image. The same thing can (and regularly does) happen with containers running in production.

In the production environment, containers, critical tools, or Kubernetes itself could be attacked, such as we all saw in last year’s critical API server vulnerability. All of this infrastructure presents an attack perimeter that needs to be monitored and protected automatically. And, even when you do the best possible job of removing vulnerabilities, there’s still the danger of zero-day attacks, unknown vulnerabilities, or even insider attacks.

On the positive side, security strategy can be integrated and automated throughout the Kubernetes pipeline.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

10 steps to securing the container lifecycle

Here are 10 specific ways DevOps teams can integrate and automate security across the full lifecycle of their Kubernetes pipeline:

kubernetes security 02NeuVector

For more details:

Gary Duan is co-founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at vArmour, Fortinet, Cisco, and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX, and orchestration systems. He holds several patents in security and data center technology.