Kubernetes for Security Admins and Analysts
Implement Kubernetes security in Microsoft Sentinel using a mix of old and new methods.
Microsoft Kubernetes Service (MKS) and Container Registries have been some of the fastest growing cloud services in Microsoft. This is because of how scalable and flexible Kubernetes is for software developers. With a sizable amount of Kubernetes entering the IT environment, it is important for security admins and analysts to understand what it is so that they can secure it.
In this blog, we will go over what information security professionals need to know about Kubernetes to begin securing it. By breaking a complex topic like this into understandable parts, information security professionals will be able to use their experiences with similar technologies and new technologies to address security concerns.
Before starting work with Kubernetes, an information security professional should take time to get familiar with the components of the Kubernetes hierarchy. The example image below is a logical diagram that shows what the hierarchy looks like with all the components labeled.
An information security professional working with Kubernetes should look up what each of these components do in the hierarchy. Once the roles are clear, they can begin designing security solutions around the identified roles.
Understand Container Images
One of the defining features of Kubernetes is the flexibility offered by using container images to host applications. Software developers can edit their container images to optimize the performance of the apps that the container will be hosting.
If an information security professional takes time to understand what is going on inside a container image, they can improve security in the same way that they would when improving security on device images. Although containers operate differently than virtual machines, the same security fundamentals can be applied to both when designing their images.
Apply Server Security Fundamentals
Kubernetes provides a more flexible way to manage a group of logically similar infrastructure or software such as web servers. Information security professionals can use this simplification to help with applying known concepts about securing groups of servers.
Some examples of these known concepts include creating groups based on roles and segmenting the Kubernetes components based on which other components they need to communicate with to do their job.
Select a Scanning Solution
Even though Kubernetes uses Linux, a scanner designed for a traditional Linux server will not be sufficient for the security issues that are specific to Kubernetes. Another scanning solution will need to be selected to address Kubernetes specific security issues.
An example of one of these solutions would be Microsoft Defender for Cloud’s container scanner. It goes through the container images that are saved with the container registry to find potential vulnerabilities. Once it identifies those vulnerabilities, information security professionals can work with the software development team to address them.
Use the MITRE Kubernetes Threat Matrix
Microsoft has released an updated version of a Kubernetes Threat Matrix that outlines vulnerabilities using MITRE threat modeling. It includes a diagram that outlines existing vulnerabilities and discusses the most recent vulnerabilities they have discovered since the last edition.
Information security professionals can use the Kubernetes Threat Matrix to help with threat modeling in their own organization and with addressing potential security concerns with software developers working with Kubernetes.
We will continue to share best practices and lessons learned in future posts on Kubernetes security in customer environments. Information security professionals at CyberMSI are constantly striving to stay on top of new and evolving technologies like Kubernetes.
In closing, consider these three questions when securing Kubernetes in your organization:
- Is your SecOps team knowledgeable about Kubernetes security?
- How can we organize security and software development cross training to ensure that software hosted in Kubernetes can be secured?
- Do we need to update our SDLC security policy and training to reflect the evolving software development landscape?