Kubernetes Security Predictions for 2020: Misconfigurations, Regulations, and the Service Mesh

By Haim Helman

2019 was a big year for Kubernetes, with growing adoption, large events (like KubeCon NA 2019) and multiple important releases.

One thing that was a key concern in 2019 and will remain one in 2020 is security. Not just simply making sure that Kubernetes as a platform is secure, or that organizations employ more than just simple scanning. Rather a higher-level concern about how Kubernetes cloud native deployments fit into organizations overall IT strategy, especially as it relates to compliance and regulatory requirements.

As Kubernetes is increasingly used for production workloads in mission critical environments, there is going to be a growing focus in 2020 on making sure those deployments properly conform to the required compliance regimes.

For example, currently the Payment Card Industry Data Security Standard (PCI-DSS) does not have any specific language about how security should be configured inside of a cluster. PCI-DSS is a critical security standard for making sure that the environments that handle payments employ best practices and security controls to help reduce the risk of fraud and data breaches. Similarly in the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) has yet to define specific requirements for cloud native deployments.

In both those cases, the current standards look only at the perimeter. While that’s important, so too is what goes on inside the perimeter, within each cluster. 

In 2020, expect to see more scrutiny from regulators and auditors alike for cloud native deployments that should be covered by PCI-DSS and HIPAA.

Istio and Service Mesh Will Be Big 

If you thought 2019 was a big year for service mesh, just wait to see what happens in 2020. At Octarine, we expect that for Istio and service mesh in general, 2020 is going to be a critical year.

We really believe in service mesh and think it’s going to be very big. The efforts made by Google and the broader Istio community into making Istio more accessible and easier to deploy will pay dividends in 2020. 

The growth of Istio in 2020 will also have broad impact on how runtime security in Kubernetes will improve as organizations embrace service mesh concepts. 

Misconfigurations Litter the Cloud Native Threat Landscape

Looking forward to 2020, the threat landscape for cloud native has no shortage of risks and attack vectors – though one vector stands above all others.

Misconfiguration is by far the most common and the easiest vector to exploit and it’s everywhere. Administrators also often provide too many privileges to users, which is a misconfiguration that can have disastrous consequences.

While some misconfigurations make the news (like Tesla not having a password for its Kubernetes dashboard), others do not. Often the reasons why Kubernetes misconfigurations have not made headlines is because the deployments were not mission critical or sensitive workloads. As organizations increasingly move their top tier workloads to Kubernetes, the impact of misconfigurations will become more pronounced in 2020.

2020 will be another big year for Kubernetes, of that there is little doubt. 

The popularity of Kubernetes will also undoubtedly attract new interest from hackers that will look to exploit it to penetrate and attack its users. As organizations look just beyond basic adoption with test and dev use-cases, there is a real need to apply the right controls and best practices to reduce risk.

A first step to understand the security profile of your Kubernetes clusters is to try kube-scan. It analyzes over 30 security settings (ie privilege levels, capabilities, and Kubernetes policies and establishes a risk baseline) and analyzes how these settings work in tandem so that you can understand what combinations will decrease (or increase) a level of risk. 

For example, the combination of local access risks (privileged container, container running as root) and remote access (listening to a port, no Kubernetes Ingress policy, etc.) is at a greater risk if the service is exposed to the Internet through a Load Balancer, a host port, or a shared host network.  Kube-scan also takes into consideration the ease of exploitation, and the impact and scope of exploits, similar to the Common Vulnerability Scoring System (CVSS).

Want security tips from the pros?
Get the DevSecOps simplified newsletter.

* indicates required

Please select all the ways you would like to hear from Octarine:

You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.