Kubernetes security continues to be one of the biggest concerns for organizations adopting the technology. Security teams are learning Kubernetes while DevOps and developers are learning the configurations needed to ensure the basics are covered. Platform engineers/DevOps play an important role because Kubernetes security needs solid configuration. According to the 2022 Red Hat State of Kubernetes Security Report, 43% consider “DevOps” as the role most responsible for Kubernetes security. However, no matter the cybersecurity technology implemented to defend against threats, without engineers configuring containers properly, those threats could become dangerous.
At the same time, cost is a huge concern with any organization using the cloud. Kubernetes cost avoidance becomes just as important as security the bigger the workloads. The idea around cost avoidance, according to the FinOps Foundation, is to reduce usage and optimize costs to get a better cloud rate. The Foundation says that “Most of the actions required for cost avoidance are engineer dependent. If engineers are not receptive to FinOps initiatives aimed at cost avoidance, then nothing happens.” Again, engineers play an important role.
Organizations want to increase value (profit), lower cost and reduce risk. Platform engineering teams (or DevOps) using Kubernetes play an important role in all three:
Increase value (profit) by shipping applications faster because your development teams have a faster lifecycle (i.e. get new features in the market faster).
Lower cost by optimizing cloud usage.
Reduce risk by implementing all the security features made possible in Kubernetes.
Core to achieving all these benefits is that the platform engineering team must configure with security and cost in mind. This is often possible with teams running one to three small clusters, but as the size of the Kubernetes environment increases, managing more people, enabling developers to self-service and maintaining standards becomes hard. As organizations grow their usage of Kubernetes, platform engineers must change from being the “doers” to the “enablers” to help downstream development teams deploy quickly – but with security and cost in mind.
But writing policy down and saying ‘must follow’ is the easy part. Making it easy to know how to configure for security and how to optimize for cost is harder. Making sure every person knows the standards is even harder. And making sure it’s done is the hardest part. That’s where Kubernetes governance becomes essential because without it there is no cost optimization, there is no security and there is no increased value.
The challenge is that for larger organizations there is one team, usually the platform engineering team, setting up Kubernetes. The security team is brought in to secure “the thing,” and the finance team is asking “how much cloud is being consumed.” Both the security and finance teams are turning to the platform engineering team who often lack the visibility to see what’s happening across the entire platform.
Point in time audits help, but it can be resource intensive and it doesn’t guarantee that if problems are found that they are fixed.
Kubernetes governance platforms offer the answer to all three stakeholders: engineering, security and finance. A Kubernetes governance platform implements policy-as-code to enforce guardrails around security, cost avoidance and reliability. Examples of real-world policies include:
Ensuring workloads are never deployed to run as a privileged user - helps enforce defense in depth
Alerting developers when their CPU and Memory requests are 30% more than they are currently using - helps avoid wasted costs
Preventing containers from being deployed with critical known vulnerabilities - helps reduce risk
This arms developers with the tools they need to meet requirements across the business – from ensuring workloads are deployed securely to optimizing cloud spend, and achieving compliance.
When evaluating solutions for Kubernetes security, cost or policy enforcement, it’s important for all security, finance and engineering teams to not just look at a standalone point product. Security, cost and policy go hand in hand. Further, if using the right solution, users can arm developers with the tools they need in the way they want to work without significant time spent on integration and management.
Here is a short checklist when considering a cloud governance and policy solution for Kubernetes:
Kubernetes Cost Optimization
Workload/node/cluster cost allocation
Advice on CPU and memory settings
Resource recommendations
Track spend over time
AWS billing integration
Kubernetes Guardrails
Policy library
K8s Policy-as-Code automation (write once, deploy everywhere)
Custom policies via Open Policy Agent (OPA)
Multi-cluster visibility into compliance
CIS Benchmark
Compliance Self-Assessment for SOC 2
Compliance recommendations
Shift-Left Kubernetes Security
Infrastructure-as-code scanning
Container vulnerability scanning
Runtime monitoring
Auto-Scan Infrastructure-as-Code to support GitOps
Role Based Access Control
Third party image upgrade recommendations
Falco support
Vulnerability explorer
Service ownership
Enable developers with detailed remediation advice
Automate alerts, ticketing and workflows
Built in configuration best practices
