Kubernetes: Introduction and security aspects

Paladion
By Paladion

August 6, 2020

Cloud-native technologies are widely used by organizations to achieve more efficient application development, deployment, and bug fixes. It makes use of containerization, which provides speed, portability, and microservices architecture. However, maintaining and deploying multiple containers can be tedious and reduces the visibility of cloud-native infrastructure.

Many of these organizations are now turning to Kubernetes, a platform that automates these manual processes. Here are the basics you need to know about Kubernetes:

What is Kubernetes?

Kubernetes, popularly known as k8s or “Kube,” is an open-source container management platform that is ideal for hosting rapidly scaling cloud-native applications. The name originates from Greek, meaning “pilot,” and was introduced and developed by a team engineers from Google, who are known for utilizing container technology.

Containers are mini-virtual machines that execute ready-to-run applications on top of other virtual machines (VMs). However, it does not have the components and other device drivers of a virtual machine.

Kubernetes provides the platform to schedule and run containers on clusters of physical or virtual machines (VMs), thereby automating operational tasks. This includes tasks such as deploying, managing, load balancing, and scaling containerized applications. These clusters or groups of containers make up an application into one logical unit, thereby allowing for efficient management and deployment. In effect, it amplifies the benefits of microservices architecture.

Kubernetes works for all cloud vendors: Public, private, hybrid and on-premise, and can be used on the top of Amazon EC2 instances, Google Compute instances, or even on-premises. A variety of cloud services allow Kubernetes to be deployed and it works with a range of container runtime tools, including Docker.

Key terms used in Kubernetes

A Kubernetes cluster consists of:

  • Control plane: This is the primary point of contact for users or administrators, and where task assignments originate. It makes global decisions that control the worker nodes and pods within the cluster, as well as detecting and responding to cluster events. It executes across multiple nodes in production environments to offer fault-tolerance and high availability.
  • Nodes: These are responsible for accepting and running containerized applications as assigned by the control plane. Every cluster has one or more worker nodes that maintain running pods.
  • Pods: The most basic unit of deployment and addressability. A pod can represent one or more containers, which is controlled as a single application, with its own IP address. These are the components of the application workload hosted by a single node.

GL_MDR_ToFu _Blog_Pg_Consultation_MDR_ClousSec

Why choose Kubernetes?

Applications encompassing multiple containers across several hosts cannot be efficiently managed by container APIs. Moreover, these containers are incapable of auto-scaling as the load increases.

This is where Kubernetes comes in handy. It takes charge of scaling, failover, and has an in-built logging and monitoring tool.

Kubernetes allows you to:

• Synchronize containers across multiple hosts.
• Optimize the hardware resources needed to run enterprise apps.
• Automate and manage application deployments and updates efficiently
• Increase the storage required to run stateful apps.
• Scale the resources of containerized applications on the go.
• Manage services to make sure that applications deployed are functioning as intended.
• Auto-place, auto-restart, auto-replicate, and auto-scale, ensuring health-check and self-healing       of applications. This allows you to take effective steps towards better IT security.
• Balance load by detecting and consequently deactivating unhealthy pods.
• Control a cluster effectively with user-friendly dashboards.

Owing to its vast tooling ecosystem and ability to address complex use cases, Kubernetes can be confused with a traditional Platform-as-a-Service (PaaS).

Kubernetes, as compared to PaaS:

• Has no limitations in supporting different types of applications. It can support stateful, stateless,     and data-processing workloads, for example.
• Does not require a dependency handling framework.
• Has no specifications regarding the configuration languages or systems and programming                languages to be used for coding applications.
• Does not deploy source code nor build applications, although it can be used to construct CI/CD       pipelines as determined by organizational requirements.

Unlike PaaS, Kubernetes is not monolithic. It preserves user choice and flexibility where it matters the most.

What are the security challenges associated with Kubernetes?

Kubernetes provides many business benefits, as stated above. However, it can also introduce several security challenges. The dynamic nature of containers requires effective handling of sensitive information and can make them vulnerable to attacks or exploitation by third parties. Kubernetes security challenges include:

• Container compromise: If the application is vulnerable or improperly configured, it could enable     the attacker to penetrate the containers and search for weaknesses in the network, process               controls, or file systems.
• Amplification: Once a container is compromised, it can attempt to connect with other pods that       are functioning on the same or different hosts and initiate an attack.
• Data theft: Misconfigured pods can be vulnerable to data theft. For example, by installing a                 reverse shell in a pod and forcing it to connect to a command/control server.
• Increased attack surface: If default configurations are used, the attack surface could be                         increased.  The Role-based access control (RBAC) that determines the actions allowed for the           users need to be set properly. Resource quotas must be efficiently implemented to avoid denial        of service.

To avoid these security threats, it is essential to protect business critical applications with runtime Kubernetes security automation.

The future of Kubernetes

Kubernetes has gained popularity in a short space of time and is being recognized as an essential in the electrical grids and urban plumbing industries. Kube-flow has been employed as a way to associate Kubernetes with edge computing and machine learning. With improved solutions and extensions, Kubernetes might bring about a drastic change to many industries.

Conclusion

Kubernetes marks a breakthrough in the world of modern software development. It is an efficient and highly scalable platform for managing containerized workloads that amplifies the benefits of microservices architecture. Although it comes with its risks, we will likely see an increased effort in security and development in the coming years.

Look out for an upcoming blog on the security loopholes in Kubernetes.

 

A few known vulnerabilities list: CVE-2018-1002105-Kubernetes privilege escalation and access to sensitive information

 

Authors: Umang Shakya K, Raksha Rao B, and Pooja Patil

 

GL_MDR_ToFu _Blog_Pg_Consultation_MDR_ClousSec


About

Paladion