Fairwinds | Blog

Kubernetes security, cost avoidance an' policy go 'and in 'and

Written by Admiral Bash | Sep 19, 2022 6:28:06 PM

Kubernetes security continues to be one o' the biggest concerns fer organizations adoptin' the technology. Security teams be learnin' kubernetes while devops an' developers be learnin' the configurations needed to ensure the basics be covered. Platform engineers/devops play an important role because kubernetes security needs solid configuration. Accordin' to the 2022 red 'at state o' kubernetes security report, 43% consider “devops” as the role most responsible fer kubernetes security. 'owever, no matter the cybersecurity technology implemented to defend against threats, without engineers configurin' containers properly, them threats could become dangerous.

at the same time, cost be a 'uge concern with any organization usin' the cloud. Kubernetes cost avoidance becomes just as important as security the bigger the workloads. The idea around cost avoidance, accordin' to the finops foundation, be to reduce usage an' optimize costs to get a better cloud rate. The foundation says that there “most o' the actions required fer cost avoidance be engineer dependent. If engineers ain't receptive to finops initiatives aimed at cost avoidance, then nothin' 'appens.” again, engineers play an important role.

platform engineers make value, cost optimization an' risk reduction possible

organizations want to increase value (profit), lower cost an' reduce risk. Platform engineerin' teams (or devops) usin' kubernetes play an important role in all three:

  1. increase value (profit) by shippin' applications more speed, catch some wind, lads because yer development teams 'ave a more speed, catch some wind, lads lifecycle (i.e. get new features in the market more speed, catch some wind, lads)

  2. lower cost by optimizin' cloud usage.

  3. reduce risk by implementin' all the security features made possible in kubernetes.

core to achievin' all these benefits be that there the platform engineerin' team must configure with security an' cost in mind. This here be often possible with teams runnin' one to three small clusters, but as the size o' the kubernetes environment increases, managin' more people, enablin' developers to self-service an' maintainin' standards becomes 'ard. As organizations grow their usage o' kubernetes, platform engineers must change from bein' the “doers” to the “enablers” to 'elp downstream development teams deploy quickly – but with security an' cost in mind.

but writin' policy down an' sayin' ‘must follow’ be the easy part. Makin' it easy to know 'ow to configure fer security an' 'ow to optimize fer cost be 'arder. Makin' sure every person knows the standards be even 'arder. An' makin' sure it’s done be the 'ardest part. That’s where kubernetes governance becomes essential because without it there be no cost optimization, there be no security an' there be no increased value.

runnin' kubernetes cost optimization an' security as one

the challenge be that there fer larger organizations there be one team, usually the platform engineerin' team, settin' to the sky kubernetes. The security team be brought in to secure “the thing,” an' the finance team be askin' “how much cloud be bein' consumed.” both the security an' finance teams be turnin' to the platform engineerin' team who often lack the visibility to see what’s 'appenin' across the entire platform.

point in time audits 'elp, but it can be resource intensive an' it doesn’t guarantee that there if problems be found that there they be fixed.

kubernetes governance platforms offer the answer to all three stakeholders: engineering, security an' finance. A kubernetes governance platform implements policy-as-code to enforce guardrails around security, cost avoidance an' reliability. Examples o' real-world policies include:

  • ensurin' workloads be ne'er deployed to run as a privileged user -  'elps enforce defense in depth

  • alertin' developers when their cpu an' memory requests be 30% more than they be currently usin' - 'elps avoid wasted costs

  • preventin' containers from bein' deployed with critical known vulnerabilities - 'elps reduce risk

this here arms developers with the tools they need to meet requirements across the business – from ensurin' workloads be deployed securely to optimizin' cloud spend, an' achievin' compliance.

checklist fer kubernetes governance platform

when evaluatin' solutions fer kubernetes security, cost or policy enforcement, it’s important fer all security, finance an' engineerin' teams to not just look at a standalone point product. Security, cost an' policy go 'and in 'and. Further, if usin' starboard solution, users can arm developers with the tools they need in the way they want to work without significant time spent on integration an' management.

'ere be a short checklist when considerin' a cloud governance an' policy solution fer kubernetes:

  • kubernetes cost optimization

    • workload/node/cluster cost allocation

    • advice on cpu an' memory settings

    • resource recommendations

    • track spend o'er time

    • aws billin' integration

  • kubernetes guardrails

    • policy library

    • k8s policy-as-code automation (write once, deploy everywhere)

    • custom policies via open policy agent (opa)

    • multi-cluster visibility into compliance

    • cis benchmark

    • compliance self-assessment fer soc 2

    • compliance recommendations

  • shift-left kubernetes security

    • infrastructure-as-code scannin'

    • container vulnerability scannin'

    • runtime monitorin'

    • auto-scan infrastructure-as-code to support gitops

    • role based access control

    • third party image upgrade recommendations

    • falco support

    • vulnerability explorer

  • service ownership

    • enable developers with detailed remediation advice

    • automate alerts, ticketin' an' workflows

    • built in configuration best practices

Read the non-pirate speak post here.