Container Security

Kubernetes Security Features Improve with 1.7 Release

By Gary Duan

Kubernetes 1.7 was recently released. The highlights of the release include much improved security features. Here’s a summary from the Kubernetes blog:

At-a-glance, security enhancements in this release include encrypted secrets, network policy for pod-to-pod communication, node authorizer to limit kubelet access and client / server TLS certificate rotation.

Security is often cited as one of the top concerns of our customers when they deploy containerized applications in a production environment. The emphasis on security features in the Kubernetes release further validates that security is not an optional function or an afterthought – it is much more than a procedure or task in a CI/CD process. Security has to be a key consideration from the infrastructure planning stage to the run-time environment. We call this Continuous Container Security .

Kubernetes improved its security features for access control, secrets and certificates management and end-to-end encryption. From our point of view, these are the core security features which should be supported by the Kubernetes platform. Certain security layers work more smoothly and efficiently when they are integrated into the orchestration layer. The hardened platform provides a secure base for container users.

  • The Network Policy API is promoted to stable. Network policy, implemented through a network plug-in, allows users to set and enforce rules governing which pods can communicate with each other.
  • Node authorizer and admission control plugin are new additions that restrict kubelet’s access to secrets, pods and other objects based on its node.
  • Encryption for Secrets, and other resources in etcd, is now available as alpha.
  • Kubelet TLS bootstrapping now supports client and server certificate rotation.
  • Audit logs stored by the API server are now more customizable and extensible with support for event filtering and webhooks. They also provide richer data for system audit.
    Source: Kubernetes blog

The Network Policy function is now stable in Kubernetes 1.7, providing basic segmentation capabilities. It was created based on the assumption that communication between applications can be clearly defined and pre-arranged. However, in our experience with enterprise customers, the real-world environment is much more dynamic. When applications get more complex, coordinating among different teams to create a golden set of policies between services is a huge effort which is prone to errors.

This is why we implement a behavioral learning based system which automates policies at run-time. Users can review the baseline at run-time and make any adjustments needed. This can be done in a staging environment and the policies can be populated seamlessly to the production environment.

Even more importantly, modern applications have become so sophisticated and dynamic that defining policies using IP and Port has become obsolete.  Consider how many applications are being created using the HTTP protocol, especially with the move to a microservices architecture. The need for recognizing and segmenting applications based on ‘layer 7’ protocol inspection is critical for accurately and efficiently securing container deployments.  

Network Policy today only allows users to write ingress policies. It is lacking support for defining egress policies. Most enterprise applications also require security policies between containers and legacy services running on non-containerized VM and bare-metal servers.

NeuVector’s flexible policy engine bridges the gap. It provides a smooth path for users to migrate their applications to a cloud-native environment. It also provides an interface for reading policies into NeuVector and enforcing NeuVector policies. Together, Kubernetes Network Policy and NeuVector can provide a powerful, automated security platform.

As we have always stated, container security and security in general requires a layered approach. The recent security improvements in Kubernetes 1.7, as well as in Docker EE, all help to reduce the attack surface for container deployments. The NeuVector solution adds a critical security layer on top of these base platforms so enterprise users have the network visibility and application layer security needed for this dynamic environment.


About the Author: Gary Duan

Gary is the Co-Founder and CTO of NeuVector. He has over 15 years of experience in networking, security, cloud, and data center software. He was the architect of Fortinet’s award winning DPI product and has managed development teams at Fortinet, Cisco and Altigen. His technology expertise includes IDS/IPS, OpenStack, NSX and orchestration systems. He holds several patents in security and data center technology.

About the Author

NeuVector delivers an application-aware container network security solution. The NeuVector containers deploy easily in minutes and discover running services and applications. A security policy is automatically created and updated when containers launch, scale up or scale down. NeuVector detects container threats, violations, and vulnerabilities.