yoshitaka272 - Fotolia
New Kubernetes security tools abound as container deployments grow
As Kubernetes use expands in production, enterprises have a number of IT security tools to choose from for centralized, policy-based control over container clusters.
Emerging Kubernetes security tools focus security operations at higher layers of the IT stack, as the container orchestration platform grows into a production staple for mainstream enterprises.
Approaches to Kubernetes security vary among these tools -- one newcomer, Octarine, piggybacks on the Envoy proxy and Istio service mesh to monitor container infrastructure for threats and enforce security policy, while an existing container security startup, NeuVector, plugs policy-as-code tools into the CI/CD pipeline. Another tool from managed Kubernetes player Fairwinds combines security and IT performance and reliability monitoring with a multi-cluster dashboard view.
What they all have in common is their emergence as enterprises look for centralized points of Kubernetes security control over an entire environment, in addition to tools that operate at the individual container or application workload level.
"Looking at the container workload is great, but if you don't have a sense of everything that's running within your Kubernetes ecosystem and how it's communicating, it's very easy for rogue deployments to slip in when you have hundreds of namespaces and thousands of pods," said Trevor Bossert, manager of DevOps at Primer AI, a data analytics firm in San Francisco which began using Octarine's Kubernetes security software six months ago. "This will let you know when [cluster configurations] are violating policies, like if they're public by default when they're not supposed to be."
Octarine rides along in service mesh sidecar
Octarine, based in Sunnyvale, Calif., came out of stealth last month with a service mesh-based approach to Kubernetes security. The company claims that installing its software on the Envoy service mesh proxy gives users a clearer picture of the Kubernetes orchestration layer than tools that monitor the infrastructure from privileged containers on hosts. Placing security monitoring and enforcement inside Envoy lets Octarine see whether container workloads are exposed to the internet, how secrets are exposed to container workloads and monitor east-west traffic more effectively, according to Octarine CTO and co-founder Haim Helman.
Envoy is often associated with the Istio service mesh, which has its own security features, but Octarine doesn't replace those features, which include the enforcement of role-based access control and mutual TLS encryption. Instead, Octarine collects security telemetry and identifies anomalies and threats with its Octarine Runtime module, and manages Kubernetes security policy-as-code with a tool it calls Guardrails. It can feed security monitoring information into Istio's control plane if a user already has it, or run its own service mesh control plane if the user doesn't have Istio in place.
There are other ways to create and enforce Kubernetes policy-as-code, among them the open source Open Policy Agent (OPA) that rose in popularity among large organizations in 2019, but midsize companies with smaller teams may find Octarine's policy-as-code features easier to use.
"Not having to craft all policies from scratch, being able to [let] Octarine observe the traffic and providing the best policy, is less time-consuming and involves less duplication of work, especially for a smaller team like ours," said Primer AI's Bossert.
Running Octarine on Envoy offloads some of the resource requirements from the container host, and managing mTLS encryption and policy-as-code together through Istio is also convenient, he said.
Larger organizations such as the U.S. Air Force will also keep an eye on Octarine as it matures, as OPA has been unwieldy to use so far, but would most like to use a Kubernetes policy as code tool that isn't tied to a particular service mesh.
"You can end up with massive lock-in if you abstract teams from the infrastructure, but then couple [security policy] tightly with a mesh again," said Nicolas Chaillan, chief software officer for the military branch, which has deployed Istio in production but plans to evaluate other service meshes, including Linkerd.
NeuVector loops in CRDs for Kubernetes security
NeuVector released a Kubernetes security policy-as-code tool that moved it up the stack last month, which deploys Kubernetes Custom Resource Definitions (CRDs) that are version-controlled and tested within a CI/CD pipeline instead of a service mesh. The company, which began as a container runtime scanning tool, also added network-based data loss prevention (DLP) features and multi-cluster management in version 3.0 in March.
Sean McCormickVice president of engineering, Element Analytics
Like Octarine, NeuVector can observe normal container behavior on a Kubernetes cluster network and define appropriate application behavior instead of requiring that users create policy from scratch. But for users interested in OPA, NeuVector's tool can import OPA-based policy-as-code data into CRDs as well.
"With an engineering team of 20 people it's hard to pull in new things like service mesh," said NeuVector user Sean McCormick, vice president of engineering at Element Analytics, an industrial data analytics firm in San Francisco. "Being able to export security rules is also nice, so you don't have to spend a week learning rules in a new place."
McCormick also plans to evaluate NeuVector's DLP features, and would like to see the vendor expand further to offer a web application firewall and application code security analysis.
"There are way too many security tools," he said. "A lot of tools cover just one aspect of security management, and just figuring out how all the pieces fit together is a hassle. In about three to five years, I think we'll see consolidation in the market and more complete [products]."
Fairwinds tackles Kubernetes security fundamentals
Another container management vendor that looks to expand its influence in the Kubernetes security realm is Fairwinds, a managed Kubernetes service provider in Boston. Fairwinds, formerly ReactiveOps, originally specialized in fully managed Kubernetes clusters, but launched Kubernetes management tools customers can use on their own beginning with the Polaris Kubernetes distro and Goldilocks resource request optimization tool in July. Last month, it added Fairwinds Insights, which displays Kubernetes security monitoring data alongside performance and reliability feedback. Fairwinds Insights also presents ranked remediation recommendations that include YAML code users can copy and paste to shore up vulnerabilities. The tool will also pull in and orchestrate third-party Kubernetes security utilities such as Aqua's kube-hunter.
Fairwinds Insights is not as in-depth a tool as OPA or full-blown policy-as-code, but it could help smaller shops move from Kubernetes clusters fully managed by the vendor to self-managed environments, while maintaining security best practices.
For companies such as Philadelphia-based Sidecar, a marketing and advertising software firm, Fairwinds Insights will cover the most crucial Kubernetes security management requirements at a cluster-wide level while the IT team hones its container management skills.
"A tool at the network infrastructure level gets past the most immediate security concerns, such as locking down public access to clusters and configuring AWS load-balancers," said Dominic O'Kane, manager of cloud engineering at Sidecar, which also uses Fairwinds' managed services. "Then we can take on more fine-grained tools that look at individual applications and containers."