<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=521127644762074&amp;ev=PageView&amp;noscript=1">

Kubernetes Config Security Threats

Securing workloads in Kubernetes is an important part of overall cluster security. The overall goal should be to ensure that containers are running with as minimal privileges as possible. This includes avoiding privilege escalation, not running containers as a root user, and using read only file systems wherever possible.

Security vulnerabilities can slip into production because of oversight or inexperience. Speed to delivery vs. critical security safeguards are often at odds as teams attempt to balance the velocity of engineering with the reactionary pace of security. This balancing act can result in messy Kubernetes configurations and unnecessary risk. Problems can arise if workloads are mis-configured by developers through inexperience or neglect.

Unfortunately, individual application developers often neglect security configuration for each workload. For example, it's often easier to over-permission a deployment with root access to just get something working. Forcing individual contributors to design their own security configuration all but ensures inconsistency and mistakes.

Common Kubernetes Security Configurations That Lead to Vulnerable Deployments

So how do you quickly and proactively identify Kubernetes security misconfigurations to prevent breaches? In our experience there are eight common Kubernetes security misconfigurations that lead to vulnerable deployments.

Not identifying and addressing these configurations can have negative business consequences. For example, if a container runs as root but doesn’t necessarily need this level of access, then a malicious container could have the privileges to steal data or cause other damage to the system.






Fails when hostIPC attribute is configured.



Fails when hostPID attribute is configured.



Fails when securityContext.readOnlyRootFilesystem is not true.



Fails when securityContext.allowPrivilegeEscalation is true.



Fails when securityContext.runAsNonRoot is not true.



Fails when securityContext.privileged is true.



Fails when securityContext.capabilities includes one of the capabilities listed here



Fails when securityContext.capabilities includes one of the capabilities listed here

To address these common Kubernetes security threats, our team built Polaris, an open source tool, that checks configurations found in the securityContext attribute for both Kubernetes pods and containers. Where Polaris ends is where Fairwinds Insights picks up.

Fairwinds Insights is a configuration validation tool that provides visibility into an organization’s Kubernetes security posture by auditing workloads and validating configurations for weaknesses, container vulnerabilities, and misconfigured deployments. 

Fairwinds Insights operationalizes Polaris checks by providing not only the findings, but also keeping a historical record of the results across all your clusters and offering remediation guidance. Fairwinds Insights allows you to track and prioritize security, efficiency and reliability issues, collaborate across teams, and apply best practices as applications move from development to production.

Learn more about Fairwinds Insights or get the paper on how to manage Kubernetes configurations to improve security, efficiency and reliability.

Managing Kubernetes Configuration Read the Whitepaper