Professional Documents
Culture Documents
Kubernetes:
The Good, The Bad
& The Misconfigured
How to eliminate Kubernetes misconfigurations to
reduce risk and improve reliability and cloud efficiency
DATASHEET // DATADOG & FAIRWINDS
KUBERNETES: INSIGHTS:
THE GOOD, DATASHEET
THE BADA &POWERFUL
THE COMBINATION
MISCONFIGURED // 2
TABLE OF CONTENTS
Introduction.............................................................................. 3
Misconfigurations Minimized.................................................... 8
DATASHEET // DATADOG & FAIRWINDS INSIGHTS:
THE BADA &POWERFUL COMBINATION
KUBERNETES: THE GOOD, THE MISCONFIGURED // 3
INTRODUCTION
Although security is often the most pressing topic in Kubernetes,
it is inextricably linked to issues of efficiency and reliability. To run
Kubernetes effectively and successfully, organizations must work
with intention, as workloads are not secure, reliable or efficient by
default. While Kubernetes provides some level of self-healing when
things go wrong, applications require the proper settings to work
correctly and to take full advantage of the built-in capabilities in
the underlying Kubernetes platform.
35%
organizations have found steady footing with proper configuration of their
Kubernetes environment, nor are they even half way there. For example, only
35% of organizations have correctly configured most (>90%) of their workloads
of organizations have with liveness and readiness probes. These probes provide a way for Kubernetes
correctly configured to understand whether an application is alive and ready to serve traffic—and
most (>90%) of their take remedial actions if not. As a result, not having these probes in place can
lead to serious reliability problems.
workloads with liveness
and readiness probes. It is well known that Kubernetes can automatically scale resources up or down
in response to varying workload demand. Indeed, this is one of the primary
features of the platform. What is less well known is the fact that containers have
built-in configuration settings for determining the amount of CPU and memory
42%
resources they use (via resource requests and limits). These settings in essence
override some of the auto scaling capabilities of the underlying platform and can
therefore lead to under provisioning of the workloads. While under provisioning
of organizations today can cause performance issues, overprovisioning can lead to potentially dramatic
manage to lock down inefficiency and cost overruns.
most of their workloads. Furthermore, minor misconfigurations can produce major security holes if they
are not found and addressed. For example, a common vulnerability is containers
running with more security permissions than required, e.g., root-level access.
Under particular configurations, a container may escalate its own privileges.
54%
are leaving over half
Because configurations are not established by default, security-conscious teams
need to explicitly set them.
Only about 42% of organizations today manage to lock down most of their
workloads, while some 54% are leaving over half their workloads open to
their workloads open to
privilege escalation—and thus, security holes.1 Problems with configuration can
privilege escalation—
become increasingly painful over time, as they consume considerable resources
and thus, security holes. to fix. What, at first, feels like a few little issues to fix, quickly morphs into full-
blown Kubernetes chaos in the form of security vulnerabilities, wasted resources
and reliability concerns.
is basically impossible. The beauty of Kubernetes is its customization—but that customization can
cause risk, downtime or wasted resources. The bottom line is proper Kubernetes
configuration is vital to the success of cloud native adoption. Without it,
improving application security, reliability and efficiency is basically impossible.
Human error is the most cited cause of security breaches. When developer-
friendly (unsecure) default configurations are combined with human oversight,
container security lies in the balance. Moreover, configuration management
poses a unique challenge for Kubernetes users because it requires more
consideration. While many tools are available for vulnerability scanning of
container images, proper configuration and oversight demands careful handling.
Even though practitioners may understand the need to avoid deploying the
Kubernetes dashboard, configuring a pod’s security content, or implementing
RBAC are other examples of the challenging setting these teams are facing.
DATASHEET // DATADOG & FAIRWINDS INSIGHTS:
THE BADA&POWERFUL COMBINATION
KUBERNETES: THE GOOD, THE MISCONFIGURED // 6
Although the world of cloud native technologies and Kubernetes is still relatively
new, the core business challenge remains the same. Organizations must figure
out how to accelerate development speed while also maintaining robust security
practices. These two business objectives are still vying for equal attention in the
container space.
Gaining visibility into application resource usage can help teams better
understand how their application performs with different CPU and memory
settings. These can then be adjusted to improve app performance or to increase
the efficiency of Kubernetes compute resources, ultimately helping organizations
save money in the cloud and capacity in their data centers.
Workload configuration, typically made in YAML files and Helm charts, affect
the security and reliability of services, as well as the efficiency of workloads in
a cluster. There are numerous factors to consider when assembling a stable and
reliable Kubernetes cluster, including the potential need for application changes
and alterations to cluster configuration. These considerations include things like
setting resource requests and limits, autoscaling pods with the right metrics and
using liveness and readiness probes.
MISCONFIGURATIONS MINIMIZED
The answer to how misconfigurations can be minimized is multi-faceted one.
Large organizations will find it is nearly impossible to manually check each
security configuration and assess its risk. Because Kubernetes defaults tend to
be inherently open and unsecure, it is important to avoid using these default
settings until all security implications—and how they impact the overall risk
tolerance—are clearly understood.
WWW.FAIRWINDS.COM