<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=521127644762074&amp;ev=PageView&amp;noscript=1">

Kubernetes Security, Cost Avoidance and Policy Go Hand in Hand

Kubernetes security continues to be one of the biggest concerns for organizations adopting the technology. Security teams are learning Kubernetes while DevOps and developers are learning the configurations needed to ensure the basics are covered. Platform engineers/DevOps play an important role because Kubernetes security needs solid configuration. According to the 2022 Red Hat State of Kubernetes Security Report, 43% consider “DevOps” as the role most responsible for Kubernetes security. However, no matter the cybersecurity technology implemented to defend against threats, without engineers configuring containers properly, those threats could become dangerous.  

At the same time, cost is a huge concern with any organization using the cloud. Kubernetes cost avoidance becomes just as important as security the bigger the workloads. The idea around cost avoidance, according to the FinOps Foundation, is to reduce usage and optimize costs to get a better cloud rate. The Foundation says that “Most of the actions required for cost avoidance are engineer dependent. If engineers are not receptive to FinOps initiatives aimed at cost avoidance, then nothing happens.” Again, engineers play an important role. 

Platform Engineers Make Value, Cost Optimization and Risk Reduction Possible

Organizations want to increase value (profit), lower cost and reduce risk. Platform engineering teams (or DevOps) using Kubernetes play an important role in all three:

  1. Increase value (profit) by shipping applications faster because your development teams have a faster lifecycle (i.e. get new features in the market faster).

  2. Lower cost by optimizing cloud usage.

  3. Reduce risk by implementing all the security features made possible in Kubernetes.

Core to achieving all these benefits is that the platform engineering team must configure with security and cost in mind. This is often possible with teams running one to three small clusters, but as the size of the Kubernetes environment increases, managing more people, enabling developers to self-service and maintaining standards becomes hard. As organizations grow their usage of Kubernetes, platform engineers must change from being the “doers” to the “enablers” to help downstream development teams deploy quickly – but with security and cost in mind.

But writing policy down and saying ‘must follow’ is the easy part. Making it easy to know how to configure for security and how to optimize for cost is harder. Making sure every person knows the standards is even harder. And making sure it’s done is the hardest part. That’s where Kubernetes governance becomes essential because without it there is no cost optimization, there is no security and there is no increased value.

Running Kubernetes Cost Optimization and Security as One

 The challenge is that for larger organizations there is one team, usually the platform engineering team, setting up Kubernetes. The security team is brought in to secure “the thing,” and the finance team is asking “how much cloud is being consumed.” Both the security and finance teams are turning to the platform engineering team who often lack the visibility to see what’s happening across the entire platform.

Point in time audits help, but it can be resource intensive and it doesn’t guarantee that if problems are found that they are fixed.

Kubernetes governance platforms offer the answer to all three stakeholders: engineering, security and finance. A Kubernetes governance platform implements policy-as-code to enforce guardrails around security, cost avoidance and reliability. Examples of real-world policies include:

  • Ensuring workloads are never deployed to run as a privileged user -  helps enforce defense in depth

  • Alerting developers when their CPU and Memory requests are 30% more than they are currently using - helps avoid wasted costs

  • Preventing containers from being deployed with critical known vulnerabilities - helps reduce risk

This arms developers with the tools they need to meet requirements across the business – from ensuring workloads are deployed securely to optimizing cloud spend, and achieving compliance.

Checklist for Kubernetes Governance Platform

When evaluating solutions for Kubernetes security, cost or policy enforcement, it’s important for all security, finance and engineering teams to not just look at a standalone point product. Security, cost and policy go hand in hand. Further, if using the right solution, users can arm developers with the tools they need in the way they want to work without significant time spent on integration and management.

Here is a short checklist when considering a cloud governance and policy solution for Kubernetes:

  • Kubernetes Cost Optimization

    • Workload/node/cluster cost allocation

    • Advice on CPU and memory settings

    • Resource recommendations

    • Track spend over time

    • AWS billing integration

  • Kubernetes Guardrails

    • Policy library

    • K8s Policy-as-Code automation (write once, deploy everywhere)

    • Custom policies via Open Policy Agent (OPA)

    • Multi-cluster visibility into compliance

    • CIS Benchmark

    • Compliance Self-Assessment for SOC 2

    • Compliance recommendations

  • Shift-Left Kubernetes Security

    • Infrastructure-as-code scanning

    • Container vulnerability scanning

    • Runtime monitoring

    • Auto-Scan Infrastructure-as-Code to support GitOps

    • Role Based Access Control

    • Third party image upgrade recommendations

    • Falco support

    • Vulnerability explorer

  • Service ownership

    • Enable developers with detailed remediation advice

    • Automate alerts, ticketing and workflows

    • Built in configuration best practices

Try Fairwinds Insights