Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity

    How Google Is Improving Kubernetes Container Security

    By
    Sean Michael Kerner
    -
    December 10, 2018
    Share
    Facebook
    Twitter
    Linkedin
      gke

      The open-source Kubernetes container orchestration project has become increasingly important in recent years as organizations rely on it to deploy applications. With the increased reliance has come increased scrutiny on security, especially at Google, which hosts a managed Kubernetes service called Google Kubernetes Engine (GKE).

      In a call with press ahead of the KubeCon conference that runs Dec. 11-13 in Seattle, Maya Kaczorowski, product manager, Security & Privacy, at Google, outlined the steps Google is taking to help secure Kubernetes now and into the future.

      “Customers are asking mostly questions around configuration and setting up Kubernetes securely,” she said.

      Kubernetes is an open-source effort originally created and led by Google; since 2015, Kubernetes has been hosted at the Cloud Native Computing Foundation (CNCF). Both Amazon Web Services and Microsoft Azure operate their own hosted Kubernetes services, and there are commercial offerings from multiple vendors including IBM, Red Hat, SUSE, Pivotal and Cisco, among others. The GKE service is based on the upstream Kubernetes project and provides Google’s view on how Kubernetes should run in the public cloud.

      Kaczorowski said that among the questions that customers ask Google about GKE are ones about infrastructure security, with organizations curious about how Kubernetes security features can be used to protect user identities. Organizations are also curious about the software supply chain and whether or not a given container application image is safe to deploy. She noted that the safety of container application images has become a larger issue for many organizations in 2018, after reports of vulnerable applications in Docker Hub as well as a recent issue in the NPM event stream module.

      “Users are worried about what’s coming up in their environment,” she said. 

      Kaczorowski added that the more sophisticated users are asking questions about runtime security and how to identify a container that’s acting maliciously. Users are also interested in understanding how to conduct forensics on a container that has been impacted by a security issue.

      What Google Is Doing

      Google isn’t just taking the upstream Kubernetes as is and deploying it as GKE. Rather, Kaczorowski said Google is implementing best practices for security by default.

      “We go beyond what’s in open source and put additional restrictions in place to secure users,” she said. 

      One of the most prominent restrictions that GKE has is a restricted Kubernetes dashboard. Multiple organizations including Tesla and Weight Watchers have had their Kubernetes environments attacked in 2018, due to the simple fact that they left their Kubernetes dashboard open and exposed to the internet. A study from Lacework released on June 19 found 21,169 publicly facing Kubernetes dashboards, and of those, 300 deployments were found to have open administrative dashboards without any required access credentials.

      Google also makes use of private clusters and authorized networks to help protect GKE users.

      “This is about providing private IP addresses for nodes and then restricting the IP access to the control plane using a set of set of IP addresses from a user’s whitelist,” Kaczorowski said.

      Kubernetes runs on top of an operating system; in Google’s case, it’s a minimal operating system that is hardened and has been purpose-built. Kaczorowski said that the minimal OS is based on Google’s Chromium OS, which powers Google Chromebooks. The GKE OS needs to be minimal to reduce the attack surface for potential vulnerabilities, she said. 

      “It doesn’t need to have a lot of stuff because you bring a lot of stuff with you and your containers, and so Google builds its own operating system for this layer called container-optimized OS, or COS, and it’s built on Chromium,” she said. 

      Upgrading for security patches is always a best practice for IT, and it’s one that GKE implements with its node auto-upgrade capability. Kaczorowski said GKE manages the Kubernetes control plane for users, including updating that control plane and patching it when required.

      Another core Google container security capability was announced at the Google Next conference on July 24, with the launch of the Container Registry Vulnerability service, which provides automatic scans of container images to help identify known vulnerabilities. At Next, Google also announced its Binary Authorization, which verifies that an image meets certain requirements before it can be deployed into production. At the KubeCon Europe event on May 3, Google announced its container runtime security effort, which involves partnerships with Aqua Security, Capsule8, StackRox, Sysdig and Twistlock. In a video interview with eWEEK, Kaczorowski detailed what the container security partnership is all about.

      2019 Outlook

      Looking into 2019, Kaczorowski sees two core trends playing out in the IT security space. The first one is simplifying everything. 

      “Right now, the burden on a user to get Kubernetes up and running with the right configuration is quite high,” she said. “So in GKE, we’ve done a lot of work to make that simpler, but in the open-source version, it’s just too much of a struggle.”

      Kaczorowski is hopeful that the core open-source Kubernetes community moves toward simplifying Kubernetes and providing better defaults. 

      Kubernetes-specific attacks are another thing that Kaczorowski predicts are coming. To date, a lot of the attacks against containers can be classified as “drive-by” attacks, where an attacker is randomly scans environments looking for known vulnerabilities, she said.

      “The attackers probably don’t even realize they’re attacking a containerized environment, and they probably don’t even care,” she said. “We will probably start to see people scanning more for Kubernetes vulnerabilities, realizing that they’re in a container trying to do something a little bit more interesting in that regard, or purposefully looking for containers to target because they might think that they’re misconfigured.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×