Why can we drive so fast with our cars? It’s the brakes on our cars that allow us to go this fast. Developing on Kubernetes allow you to put workloads in production at speeds that were not thought of a decade ago. But how do you ensure workloads are exposed securely and follow proven practices? Providing a secure and agile Kubernetes environment to your DevOps teams is a challenge for many organizations.

We want to provide our development teams a platform so that they can focus on delivering new business functionality. Kubernetes has become the number one container-hosting and orchestration platform and many companies have numerus workloads running on Kubernetes clusters. While platforms such as Azure Kubernetes Services (AKS) already take care of many things related to hosting a Kubernetes cluster it does not address all aspects of securing the workloads and infrastructure.

Areas to address
One of the reasons Kubernetes has become so popular is the options it provides in hosting workloads. There are many ways to host a workload and many aspects must be considered. Kubernetes is a platform by itself and enabling and securing it involves nearly all aspects of the complete spectrum of cloud infrastructure, such as integrating access with the corporate identity provider, arranging for security updates to worker nodes, and deploying and running workloads with the least privileges possible.

We do not want our development teams to do the heavy lifting of addressing all these areas as this would distract from delivering business functionality.

Applying the brakes
So, what are the brakes that allow you to go full speed with Kubernetes? Avanade has developed a security control framework that expands on the 4C's of Cloud Native security (Cloud, Cluster, Container, Code) as outlined by kubernetes.io and includes additional layers and controls to strengthen the security posture of your environment.

Based on industry best practices, common benchmarks, and customer experiences, the framework consists of over 200 operational and security controls. The framework is flexible in how it can be implemented, which allows for easier adoption into existing environments without any potentially disruptive implementations. The following diagram illustrates how the control topics and focus areas are arranged in a more granular layered security model.

To support the continuous effort, which is required for implementing and enforcing security, the controls can be implemented in the software development lifecycle CI/CD tools.

The framework gives insights into areas that are often overlooked, for example the status of Kubernetes control and worker plane upgrades, how common Kubernetes add-ons such as ingress controllers and backup tools are configured and maintained, and to what extent the intended security controls are implemented on the workloads. Insight in these aspects allows the organization to optimize the deployment and maintenance of their containerization infrastructure.

Putting it together
Our approach is based on the framework and controls it has, plus workshops with CISO and security engineers. The framework is extendable and allows customization and addition of controls so it can be tailored to the specific security requirements. The output is a structured dataset with the compliance status of each evaluated resource, being it a cloud subscription, a Kubernetes cluster or an individual container, that can be used in continuous process, or be used for periodic reporting on compliance statuses.

Do you want more information on how you can improve your security posture for Kubernetes? Reach out to us at Ted van der Voorde or Eric Laan.