Professional Documents
Culture Documents
Going Beyond
Image Scanning
In theory at least, containerized applications
are more secure than previous generations of
applications. It’s a lot easier to rip and replace
containers that have encapsulated vulnerable
code, behave in a suspicious or malicious way
indicative of an active breach, or contain high-
risk misconfigurations, than it is to patch an entire
monolithic application. Containers are designed to
make it possible to build and deploy applications
and incremental updates more easily using
microservices that isolate specific functionality in
a modular fashion. In short, microservices make it
easier to rapidly discard a container and replace it
with a more secure version.
2
A recent survey of over 400 IT professionals who have Most common
experience working with containers and Kubernetes clusters Kubernetes container
67+33+S
finds a full 90% have dealt with some type of cybersecurity cyberscurity issues
incident involving containers. The most common issues
involved misconfigurations (67%), followed by an actual
major vulnerability (22%), runtime threats (17%) and failed
audit (16%).
22+78+S
organization adopts an emerging technology. A third of the
Misconfigurations
survey respondents (34%) said they have security concerns
related to their organization’s container strategy. Those
concerns are already having a major impact—nearly half of
22
respondents (44%) said they have had to delay deploying an
application due to security concerns. 22%
%
Organizations of all sizes are trying to address those
17+83+S
concerns proactively by shifting responsibility for Major vulnerabilities
application security toward developers, otherwise known as
DevSecOps, and implementing security controls spanning
the entire container life cycle, from build, to deploy, to
17%
17%
runtime.
16+84+S
vulnerabilities. We will then expand our discussion beyond Runtime incidents
image scanning and identify opportunities for you to
protect your containerized applications and infrastructure
throughout the software life cycle. 16%
16%
Note: this e-book assumes Kubernetes to be the container
orchestrator but many of the recommendations provided are
applicable to most container environments regardless of the
management tool being used. Failed audits
3
SECURING CONTAINER IMAGES
Beyond providing developers with tools to scan images for vulnerabilities, IT organizations also
need to secure the infrastructure entrusted to run those container images. As cybercriminals
become more familiar with container technologies, they are discovering that the most efficient
way to compromise containers is to attack the infrastructure on which they are deployed.
Cybercriminals are known to employ misconfigured Docker application programming interfaces
(APIs) to compromise entire hosts. Cybercriminals can then spin up whatever Docker container
images they like.
BEST PRACTICES FOR The first thing attack surface there is to defend.
SECURING CONTAINER IMAGES developers should be Smaller images are also less
Fortunately, a set of best made aware of is the likely to be impacted by zero-day
practices for securing container need to use secure vulnerabilities if and when they arise.
environments is now emerging. base images whenever possible. A Restricting the image to required
The best place to secure container secure base image provides some binaries, libraries and configuration
images will always be at the peace of mind because they are files is always a good idea.
point where they are created, automatically patched by the entity
which is why static and dynamic that created them. Most developers Development teams
image scanners are now being will employ a secure base image as should also take care
integrated with continuous the foundation for an application by to never bake in any
integration/continuous delivery layering additional images on top of secrets to images.
(CI/CD) platforms. The goal is to the base image. If the base image is Secrets include TLS certificate
make security checks a natural secure, it can make securing the rest keys, cloud provider credentials,
extension of the application of the application that much easier. SSH private keys and database
development process. Instead of passwords. Anyone who can pull the
throwing code “over the wall” for IT teams should also image can extract the secret. Making
cybersecurity teams to review, endeavor to keep sensitive data available only at
application developers are now the base images runtime enables developers to reuse
scanning for vulnerabilities as they they employ to a minimal size the same image in different runtime
write code and as that code is by removing non-essential environments, while still being able
committed to a CI/CD platform. components. Package managers, to update expired or revoked secrets
Once that code is deployed in a networking tools, shells, debuggers without having to reconstruct the
runtime environment, it should be and other application development image. Most organizations manage
subjected to additional periodic tools should never be included secrets via a pod in their Kubernetes
scans to ensure the environment in a production environment. The cluster or a dedicated secret
remains secure. smaller the base image, the less management system.
4
Establishing a comprehensive That approach makes it possible to
DevSecOps workflow for container ensure whatever container images
application is essential. The that are reused have been scanned
challenge is not only making for vulnerabilities and are compliant
sure those workflows are applied with all application regulatory
consistently, but also educating requirements.
developers on why a build failed
because of an unaddressed Each time a container
security issue. image is updated
it should also be
CONTAINER REPOSITORIES automatically
MATTER scanned for known
Developers pull vulnerabilities. At a minimum, each
container images container image should be scanned
from both public and at least every 90 days. Organizations
private repositories, will have to decide for themselves
also known as registries, all the how much risk is associated with
time. The most widely employed each vulnerability discovered.
public repository is Docker Hub. DevSecOps teams should have
However, only a small percentage access to information describing the
of the container images available severity of the vulnerability as well
on any public repository have been as contextual information describing
validated; therefore, organizations how the vulnerabilities may impact
need to be aggressive in inspecting their production environment,
container images pulled from including the different versions and
any public repository. It’s not distributions of Kubernetes clusters.
uncommon for container images The latest version of Kubernetes
on a public repository to have at is 1.19, and some organizations
least one or more known major have clusters running versions of
vulnerabilities, often because they Kubernetes as old or older than
were constructed with outdated 1.11. There are also more than 100
software modules. certified distributions of Kubernetes,
each of which have their own
IT teams would be well- unique configurations.
advised to standardize
on a single container Vulnerability assessment tools
registry through need to be able to pinpoint where a
which they can apply security and vulnerability lies along with specific
compliance controls consistently. recommendations for remediation.
5
HARDENING THE DEPLOYMENT
Once you’ve built your images, the next step is to deploy them. To achieve security in the
deployment phase, you need to understand and manage risk factors including those posed by
the contents of the images being deployed and the configuration of individual containerized
workloads.
While default orchestrator and container engine settings provide a reasonable level of
security in some areas, other settings require specific configurations to lock them down. The
right container security solution should not only display violations of standard policies, but
also provide the DevOps team with recommended changes to quickly correct unnecessary
risks or misconfigurations.
• How it’s deployed (including user identity, privilege Within a cluster, sensitive
level, and other configurations). workloads should also be
separated logically and
physically. Different groups of
• What it can access (including secrets, volumes, and applications, and services with
other infrastructure components such as the host or different security needs, should be
orchestrator API). deployed in separate namespaces
as a first level of isolation. The most
• Whether it complies with your policies and security sensitive workloads should run
requirements. on dedicated nodes so that less
trusted workloads are not able to
affect their operation.
6
BEST PRACTICES FOR HARDENING
THE DEPLOYMENT
7
BEST PRACTICES FOR HARDENING
THE DEPLOYMENT
ASSESS IMAGE PROVENANCE,
ASSESS PRIVILEGES USED INCLUDING REGISTRIES AND
BY CONTAINERS OTHER ATTRIBUTES
The capabilities, user identity, and privileges It’s highly recommended for your teams to know
granted to container processes can allow or block where the code in your environment was deployed
many security attack vectors, and you should from and implement controls that prevent
examine these settings to minimize risk. deployment from untrusted sources or registries.
8
BEST PRACTICES FOR HARDENING
THE DEPLOYMENT
IMPLEMENT CHECKS TO DETECT AUTOMATICALLY NOTIFY APPROPRIATE
COMMON CONFIGURATION TEAMS BASE ON DEPLOYMENT
PROBLEMS METADATA
CHECK-SQUARE High-severity vulnerabilities. Many organizations annotate deployments with
CHECK-SQUARE Image scan age and other best practices. the name, email alias, or Slack channel of the team
responsible for an application. You should be able
CHECK-SQUARE Abnormal privilege levels. to use this metadata effectively to prevent security
CHECK-SQUARE Security-relevant image components, teams from having to manually triage and forward
including package managers and download alerts and findings.
tools.
CHECK-SQUARE Key vectors for adversary persistence attempts,
such as sensitive host directory mounts.
CHECK-SQUARE Common bad practices, such as distributing BLOCK DEPLOYMENTS THAT FAIL
secrets in environment variables. CRITICAL CHECKS
Configuration options evolve over time and The best way to ensure ongoing compliance with
may require significant research to develop policies is to prevent noncompliant workloads from
appropriately specific and understandable being deployed.
policies. Look for out-of-the-box policies in your
security platform to help your team initiate its
security efforts. A solid base of pre-built policies
allows your team to instead focus on building
custom policies in areas they know best: your
applications and practices.
9
SECURING RUNNING CONTAINERS
The goal of the security controls instituted earlier in the life cycles, and described above, is to
minimize risk and prevent attacks, but a successful container security program must also detect
and respond to issues as containers run.
Container image and application deployment formats allow developers to better specify
their intent and enable easier introspection into what’s deployed. Effective container security
solutions must take into account the context accumulated during the Build and Deploy
phases of the container life cycle to deliver more effective and accurate runtime detection.
10
BEST PRACTICES FOR PROTECTING
RUNTIME CONTAINERS
MONITOR RUNNING GET VISIBILITY INTO ACTIVE
DEPLOYMENTS FOR NEWLY NETWORK TRAFFIC BETWEEN
DISCOVERED VULNERABILITIES ORCHESTRATED MICROSERVICES
Vulnerability data on running — PREFERABLY ORGANIZED BY
containers must be continually CLUSTER, NAMESPACE, AND
updated rather than relying on a single image DEPLOYMENT
vulnerability scan at a particular time. New Microservices and containerized applications
vulnerabilities may be disclosed publicly after typically make extensive use of cluster networking
deployment, so images need to be periodically to cooperate with other services. Active network
rescanned, and any new results need to be included traffic is a key way to understand how applications
in the risk assessment for the deployment. are interacting and spot unexpected contact.
11
BEST PRACTICES FOR PROTECTING
RUNTIME CONTAINERS
IMPLEMENT RUNTIME DETECTION AUTOMATICALLY ALERT EXTERNAL
POLICIES FOR ATTEMPTED OR SYSTEMS (E.G., EMAIL, PAGERDUTY,
SUCCESSFUL: SLACK, GOOGLE CLOUD SCC AND
SIEM SYSTEMS) WHEN A POLICY IS
CHECK-SQUARE Privilege escalation.
VIOLATED
CHECK-SQUARE Network reconnaissance.
CHECK-SQUARE Package installation. You should immediately alert the right responders
once an attack is detected and the recommended
CHECK-SQUARE Cryptocurrency mininig. response should be based on the severity of the
CHECK-SQUARE Modification of host configuration. policy violation.
CHECK-SQUARE Execution of reverse shells or other remote
access tools.
CHECK-SQUARE Data exfiltration.
12
THE KUBERNETES INFRASTRUCTURE
To understand how to effectively secure your Kubernetes infrastructure, it is informative to
understand the architecture of Kubernetes itself as well as where and how to focus efforts on
valuable mitigations, especially those which require administrator or user configuration when
provisioning clusters. Kubernetes is a robust yet complex infrastructure system for container
orchestration, with multiple components that must be adequately protected.
Each Kubernetes cluster consists of two sets of components: (1) the control plane which
is used to manage operations throughout the cluster, and (2) the cluster’s worker nodes
which run containerized applications in pods. Also, to achieve high availability and resiliency,
especially for production cluster environments, both sets of components can be deployed
across multiple machines that form a cluster.
CLOUD
KUBE- CLOUD-
CONTROLLER CONTROLLER
MANAGER MANAGER
13
SECURING KUBERNETES
CONTROL PLANE COMPONENTS
Considering that the Kubernetes control plane is designed to make global decisions regarding
a cluster’s operations, compromise of control plane components could easily result in complete
compromise of a cluster. Therefore, a critical starting point for any effort to secure Kubernetes is
to initially focus on protecting its control plane services.
The Kubernetes control plane includes the following components listed below, along with
recommended steps you can take to increase security for each component.
14
KUBE-SCHEDULER
This is the control plane component that handles scheduling of pods on worker nodes based
on resource availability; requirements, and allocation; affinity/anti-affinity, taints/tolerations
requests, and other policy constraints.
File permissions on the kube-scheduler pod specification and kubeconfig files should be restricted, and the
service should be configured to only serve HTTPS. Additionally, the service should be bound to a localhost
interface since it exposes health and metrics information which, by default, do not require authentication or
encryption. Communication with the API server should be done using the secured port, in addition to requiring
controls for authentication and authorization.
KUBE-CONTROLLER-MANAGER CLOUD-CONTROLLER-MANAGER
This control plane component runs This control plane component runs
processes that regulate, maintain processes that manage cluster
and adjust the state of things such dependencies in cloud provider
as nodes, pod replicas, services, environments for functions such as
and services accounts and access node termination, route setup and
tokens. load balancing.
15
SECURING KUBERNETES
NODE COMPONENTS
Each Kubernetes node runs the following components:
KUBELET KUBE-PROXY
This node component is the This node component is the primary
primary node agent that manages node agent that manages individual
individual containers running in containers running in pods and their
pods and their state based on state based on PodSpecs passed
PodSpecs passed via the Kubernetes API server, or via the Kubernetes API server, or as
as a file with the kubectl command line tool. a file with the kubectl command line tool.
Vulnerabilities related to the kubelet have been Vulnerabilities related to the kubelet have been
and continue to be disclosed — these should and continue to be disclosed — these should
be addressed by upgrading kubelet versions, be addressed by upgrading kubelet versions,
applying available patches, and/or taking steps to applying available patches, and/or taking steps to
mitigate the particular threat vector. mitigate the particular threat vector.
Limiting access to the kubelet with strong Limiting access to the kubelet with strong
authentication and authorization is necessary authentication and authorization is necessary
because its HTTPS endpoints expose APIs because its HTTPS endpoints expose APIs
that grant certain privileges on the node and that grant certain privileges on the node and
containers. By default, access is unauthenticated. containers. By default, access is unauthenticated.
CONTAINER RUNTME
This component enables the functionality required to start, run and manage containers on a
given node, such as communicating with the kernel, setting up cgroups, etc. Some examples of
runtimes supported by Kubernetes include: Docker, CRI-O and containerd.
The container runtime is what executes containers and, therefore, appropriate steps and security best practices
should be taken to harden it. See here for recommendations on securing Docker containers
16
SUMMARY
A foundational aspect of securing
your containers is to focus on the
earliest security gaps that can
arise at the build stage. And while
vulnerability scanning is one of
the most critical early steps you
should take to secure containers,
the security mission doesn’t stop
there. Securing containerized
applications from the time they’re
built until they’re deployed and
running as Kubernetes applications
requires a comprehensive security
program covering the entire software
life cycle and the underlying
infrastructure, too. Your security
tooling and workflows must be
adapted to fit how DevOps operate
so that security doesn’t become a
business inhibitor.
17
Ready to see StackRox in action?
Get a personalized demo tailored for your business,
environment, and needs.
http://www.devops.com
https://twitter.com/devopsdotcom
https://www.facebook.com/devopscom