KubeCon + CloudNativeCon North America Virtual | November 17-20, 2020 | Don’t Miss Out | Learn more

Identifying Kubernetes Config Security Threats: Pods Running as Root

Member Post

Guest post by Joe Pelletier, VP of Strategy at Fairwinds

With different teams – development, security and operations – and prioritization of speedy delivery over perfect configuration, mistakes are inevitable. As teams work on building and shipping new applications, mistakes are bound to happen if the only safeguard is an application developer remembering to adjust Kubernetes’ default configurations. Security, efficiency and reliability end up suffering

Having individual contributors design their own Kubernetes security configuration all but ensures inconsistency and mistakes. It doesn’t often happen intentionally, often it’s because engineers are focused on getting containers to run in Kubernetes. Unfortunately, many neglect to revisit configurations along the way causing gaps in security and efficiency.

A prime example is overpermissioning a deployment with root access to just get something working. Malicious attackers are constantly looking for holes to exploit and root access is ideal for them.

Platform teams responsible for security can attempt to manually go through each pod to check for misconfigured deployments. But many DevOps teams are under-staffed and don’t have the bandwidth to manually inspect every change introduced by a variety of engineering teams. They need a way to proactively audit workloads and validate configurations to identify weaknesses, container vulnerabilities, and misconfigured deployments. Configuration validation provides a tool to proactively identify holes in security instead of waiting for a breach to happen.

Kubernetes configuration validation ensures consistent security: 

  • Built-in centralized control | Often security teams require DevOps to implement a variety of infrastructure controls to meet internal standards. When it comes to Kubernetes, most security teams lack visibility beyond basic metrics, straining the relationship with DevOps. Consolidating this data in a single location bridges the gap between these two stakeholders.
  • Reduce the risk of mistakes | A configuration validation platform dramatically reduces the risk of errors from either Kubernetes inexperience or oversight by adding an expert configuration review into the development process.
  • Ensure security | Configuration validation is key to security for Kubernetes — getting it right dramatically reduces the risk of security incidents in production. Configuration validation ensures that security best practices are being followed organization-wide.

Platform teams can opt to build their own tool for absolute control, but few companies gain a competitive edge from having their own tool. There are open source options available, but teams must evaluate, manage and maintain and building the holistic platform can be time consuming. 

As the fastest way to identify Kubernetes misconfiguration, a purpose-built solution offers baked-in guidance curated by Kubernetes experts with dedicated support when needed. It allows teams to focus time on developing and deploying applications while simplifying operations.

Check out an example of a configuration validation solution. 

Learn more about configuration validation by visiting https://www.fairwinds.com/.