Denys Rudyi - Fotolia
Kubernetes security is a challenge even for large companies with in-house expertise, but smaller firms new to DevSecOps often must seek outside sources of knowledge about cloud-native security.
Free, open source Kubernetes security utilities that assess the configuration of container clusters and alert users to common vulnerabilities are available from Google Kubernetes Engine and Aqua, along with the emerging Open Policy Agent for advanced policy-as-code enforcement. But one DevOps pro said he prefers Tel Aviv-based startup Alcide's software -- a combination of UI-driven security advice and proprietary microservices firewall policy enforcement -- to jump-start his company's DevSecOps efforts.
"There was a lot of work, and developers don't really think about security as their first priority," said Einav Friedman, DevOps engineer at Reali Inc., headquartered in San Mateo, Calif. He said there "were a lot of open issues" when he first joined the online real estate firm two months ago. "When you have a product that's already [shipping], looking at an open source project is nice. But if I've got a solution already ready for me that can give me benefits right now, that's the first thing that I'll go for."
While it wasn't free like many open source tools, Alcide's tool also wasn't terribly expensive for a company with fewer than 200 employees, about 30 of whom are developers. Friedman estimated Alcide coverage for a five-node production Kubernetes cluster in Amazon Elastic Kubernetes Service (EKS) costs his firm about $1,000 a month so far.
The Alcide Security Platform consists of a microservices firewall and anomaly detection software, along with cloud and Kubernetes discovery tools. But the standout part of the product for Friedman is its Advisor, which establishes a baseline cluster configuration profile, advises users on Kubernetes security best practices for its design, then detects deviations from that profile in future deployments to ensure security policies are followed.
"The same link that I have to a problem also comes with recommendations on how to solve it" in the Alcide Advisor interface, Friedman said. "In a few minutes, it identified critical issues regarding old AMI [Amazon Machine Images] that we were using, with a link to Kubernetes documentation and suggestions about how to use it."
The Alcide tool also identified places Kubernetes secrets weren't encrypted in production and prompted the firm to adopt AWS Secrets Manager to cover that gap. Alcide also applies blacklist policies by default against known malicious sites so Reali's application services can't access them.
Kubernetes security and DevSecOps still a work in progress
Reali's evaluation process for a Kubernetes security tool wasn't lengthy, Friedman admitted. The firm considered a number of Kubernetes security products, but only did a proof of concept with Alcide because Friedman liked its focus on Kubernetes cluster policies, rather than individual container security. Friedman began a proof of concept in April 2019 and began to put Alcide into production in mid-June.
Einav FriedmanDevOps engineer at Reali Inc.
"It will take a while before we're very mature," Friedman said. "There's also a set of processes that need to be learned, and that will take a while."
For example, Friedman has set up a sandbox environment for Reali developers to learn how to create AWS Identity and Access Management roles within Kubernetes clusters for application services instead of user identities. He said he also plans to put Advisor into the development environment so developers can see security issues before code is pushed to production.
Reali engineers must also learn how to customize policies within Alcide, which the tool can support, but requires the firm to come to a consensus on custom policies and learn how to translate them into YAML to be applied to Kubernetes clusters. Ultimately, Friedman said he'd like to see Kubernetes security enforcement become a native feature of Amazon EKS instead of the domain of third-party tools.
"Managed cloud services are usually the easiest way to use features, and the price is usually lower than a separately licensed platform," he said. "The whole world is going to Kubernetes. Security is a necessity, and it's just a matter of time until cloud providers protect Kubernetes natively."
Alcide has a partnership with Amazon EKS, and it also supports managed Kubernetes services from Microsoft Azure and Google, along with clusters built using Kops, kubeadm and other open source tools, through its API.
The privately funded company was founded in 2015 and faces a volatile sea of Kubernetes and microservices security competition, but its focus on Kubernetes platform security instead of individual containers taps into a growing trend as mainstream companies adopt the container orchestration platform, according to analysts.
"The experience of [Reali] isn't unusual -- people are jumping into these technologies and do need help," said Fernando Montenegro, analyst at 451 Research. "These are people who just want to get stuff done, but make sure they're secure to begin with."