Building applications has become significantly simpler than ever thanks to containers. Kubernetes (developed by Google) has become the de facto container orchestration platform today. It efficiently automates the provisioning, configuration, and management of containers at scale. Apart from simplicity, security is imperative when it comes to container management. Kubernetes (by default) assigns an IP address to every pod in the cluster and provides IP-based security. But Kubernetes provides only the basic security measures, leaving the advanced security monitoring and compliance enforcement to admins to manage. Fortunately, there are a plethora of third-party tools available that help secure your Kubernetes stack. Here’s a look at seven Kubernetes security tools.
1. Project Calico
Project Calico is an open source tool that connects and secures containers and the services they run. From Kubernetes to OpenStack, Calico is integrated with all the major cloud platforms. The key idea behind Calico is to create a microfirewall for every workload. The Calico-supported connectivity policies are rendered into Firewall rules. These rules are automatically applied between each and every workload. This avoids the inefficiencies that come with moving between overlay L2 segments, thus, providing maximum network security.
It also ensures unparalleled scalability by combining the power of the leading consensus-based data store with internet routing protocols. Calico is more scalable than current overlay solutions with its Layer 3 approach to internet-style architecture and virtual networking. Calico can talk to the existing routers and switches in the network as it communicates utilizing the same type of IP packets. This makes Calico less complicated when compared to overlay configurations. Project Calico lately joined the Cloud Native Computing Foundation, giving it expert oversight and closer proximity to the Kubernetes ecosystem.
The Center for Internet Security (CIS) provides guidelines and benchmark tests for securing your code. Kube-Bench is one of the many an open source Kubernetes security tools that checks if your Kubernetes deployment meets the security benchmarks provided by CIS. It supports the benchmark tests for multiple versions of Kubernetes. Kube-Bench is a Go application and is distributed as a container.
Besides pointing out the errors, Kube-Bench also helps you with solutions to fix them. The tool checks to ensure that user authorization and authentication are proper, that data is securely encrypted both in transit and at rest, and to ensure that the deployment follows the principle of least privilege.
Each of the benchmark tests is defined in a YAML file to make modification easier. It also supports JSON output and integrates with automated tools. You have to run these tests on each of your nodes to check if your deployments meet the security standards set by CIS. Going forward, Kube-Bench updates will be released to add support to the new releases of the Benchmark for each new Kubernetes release.
As the name suggests, Kube-hunter hunts for security threats in Kubernetes. It enables administrators to address the issues before attackers exploit them. By adding discovery and penetration testing capabilities Kube-hunter enhances the CIS validation provided by Kube-Bench. It works like an automated penetration testing tool.
Kube-hunter is open source, but there is also a managed containerized version provided by Aqua that makes it easy to run. This version works in conjunction with Aqua’s Kube-hunter website where it is easy to view and share the results. The container comes with a reporting plugin for uploading results at Kube-hunter.aquasec.com. It is important to consider that uploading reports are subject to certain terms and conditions. Kube-hunter should never be used on other people’s clusters because this code can be used to probe other sites. However, this is explicitly restricted by the terms and conditions.
Twistlock is a leading provider of full-lifecycle container and cloud-native cybersecurity solutions. It enables you to implement more than 200 built-in checks for the Kubernetes CIS Benchmarks. With actionable vulnerability management systems and automatically deployed firewalls, Twistlock protects applications across the development lifecycle. Twistlock also manages image scanning. Users can scan the complete container image along with any packaged Node.js component or Docker application. Twistlock can articulate a policy on a user-by-user basis, thus, allowing developers to customize container security solutions for particular use cases. According to the company’s website, Twistlock is specifically designed for containers and serverless. It delivers the speed and simplicity that developers would want, and the control that chief information security officers (CISOs) would need.
5. Aqua Security
Aqua Security, the creator of the Kube-hunter tool mentioned above, is an important player in the Kubernetes security ecosystem. Aqua bridges the gap between IT security and DevOps by enabling enterprises to secure their cloud-native and container-based applications. It gives organizations full end-to-end visibility into their container activity and also accelerates container-adoption. By providing transparency, automated container security profiles, tight controls on privileged user access, and real-time enforcement of security policies, Aqua has become one of the leading Kubernetes security tools available today. Aqua’s highly targeted threat prevention capabilities keep businesses from having to trade off business continuity for security. The tool has powerful automation and works well across almost all popular cloud-native platforms. Aqua provides full-stack development to production security across your CI/CD pipeline and runtime environment. The solution extends security across the cloud-native spectrum and enables elastic deployment security for services like AWS Lambda and Fargate. It also helps you have centralized control over the code deployment.
Kops is an official open-source Kubernetes security project for managing production-grade Kubernetes clusters. It is used to deploy Kubernetes clusters to AWS. The project is described as kubectl for clusters. It also supports cluster operational tasks like scaling up nodes and horizontally scaling the cluster. Kops automates a huge part of running Kubernetes on AWS.
It contains commands for creating clusters, updating settings, and applying changes. As Kops uses declarative configuration, it knows how to apply infrastructure changes to existing clusters. You can use it for deploying clusters to existing virtual private clouds (VPC) as well as building a new VPC from scratch. Kops supports both public and private topologies. It provides multiple (or single) master clusters and comes with configurable bastion machines for Secure Shell (SSH) access to individual cluster nodes. It creates multiple instance groups to support heterogeneous clusters.
However, Kops lacks pre/post install hooks required for a node configuration. Install hooks are important for things like pre-pulling images and installing software on nodes. Though the issue was recently addressed in a pull request, there is no timeline for the next release.
NeuVector provides security to Kubernetes in production. It is highly integrated and delivers automated security. The tool provides complete end-to-end container security with compliance testing, vulnerability scanning, and run-time protection. It comes with a Layer 7 container firewall. The cloud-native security solution is delivered as a container itself and does not require any external connections to secure containers.
Containerd is a container runtime created to manage the entire container lifecycle of its host system. It is known for emphasizing robustness, simplicity, and portability. NeuVector is a “Built on IBM Cloud” partner. The company has been testing the containerd version on the IBM Cloud Kubernetes Service version that uses the containerd run-time. CRI-O is a lightweight alternative to Docker and functions an alternate run-time solution for Kubernetes. It enables run-times that are compatible with the Open Container Initiative (OCI).
NeuVector unveiled its support for containerd and CRI-O run-time at KubeCon + CloudNativeCon North America 2018. The objective is to make its multivector container firewall accessible to businesses that are highly security-conscious. NeuVector is the only next-generation firewall for containers with packet-level interrogation and enforcement. NeuVector has been witnessing incredible market reception lately. The customer base grew 300 percent the past year alone.
Kubernetes security tools: You must have them
Legacy security tools are not capable of handling the dynamic nature of containers, especially at a large scale. Using a single peripheral firewall for the entire application is no more a good idea. This is because, when attackers breach the peripheral firewall, they can access the entire system. Security standards are being upgraded really fast and traditional methods are simply unable to keep up. Advanced security tools like the ones mentioned in this article are inevitable when considering today’s cybersecurity threats. Without a doubt, containerized apps are the future. Adequate security can help you realize the full potential of Kubernetes and containers.
1 thought on “Top 7 Kubernetes security tools to harden your container stack”
Thanks for shining the light on the importance of using security tools for containers and highlighting some of the Kubernetes tools in the market. I feel you forgot to mention a few new tools such as WhiteSource’s new containers security tool. It detects if you are using problematic open source components – both within the containers and the software deployed on it – without the need to manually download and scan containers or images.