Securing Your Kubernetes Pipeline
Kubernetes has to be safe from end to end, from application security itself to continuous monitoring after deployment.
Join the DZone community and get the full member experience.Join For Free
Several elements are crucial to an effective and efficient CI/CD workflow. A cloud-native app designed to take advantage of containers and other cloud-native features is certainly one of those elements. A capable cloud infrastructure with containers configured for maximum performance is another. To complete the set, you need cloud-native tools to manage the CI/CD workflow from start to deployment.
Setting up these basic elements is easy. You can turn to AWS, for example, and its cloud services to create a robust cloud environment that integrates well with your CI/CD pipeline. You can also optimize Kubernetes and pods within a containerized framework to streamline deployment and updates.
You may also enjoy: Securing Your Kubernetes Deployment [RefCard]
The real challenge is tracking changes made to the app from start to finish. An unsecured line of code or a bad deployment method can jeopardize the entire CI/CD pipeline. This concern isn’t to be taken lightly either because Kubernetes doesn’t offer full security management by nature. This is something you have to do yourself.
So, what is the best way to secure your Kubernetes pipeline? Let’s find out.
Secure Application Delivery
Automation is the answer to this challenge. It is nearly impossible to track changes manually, so you have to automate some parts of the process for maximum efficiency. This is done by integrating security compliance into the development and deployment processes. To be able to take this step, however, you have to define clear security and compliance policies first.
Integrating security and compliance as early in the pipeline as possible is also highly recommended. This means securing not just the app or code, but also the CI/CD pipeline itself. Fortunately, there are more ways to achieve this.
You can, for instance, use the IaC approach to create a standardized deployment stack. Since infrastructure is baked into the deployment package, it is much easier to make sure that a consistent cloud infrastructure is maintained.
Another approach is adding (and enforcing) security policies, which we will get to in a second. Using tools like Kritis, Ops can enforce security policies at a much early stage in the development process. The policies govern how new updates and micro-services are deployed.
Whichever method you choose to use, you want to integrate it in the early stages of the CI/CD pipeline. This way, security issues can be caught early, and proper fixes can be introduced into the pipeline at a much faster rate. That’s how you create a more secure pipeline while preventing security from becoming a bottleneck.
Active Scanning of Codes and Containers
As mentioned before, there are more tools to use if you want to create a secure Kubernetes pipeline. It’s important to complete image scanning with open source image scanning tools, both in private repositories, and as part of a CI/CD pipeline validation step. When integrating code scanning, you can now start by managing artifact metadata using Grafeas. Metadata attached to the CI/CD task allows for more comprehensive tracking of the process. Grafeas as a tool is also universal, so the metadata generated by Grafeas can be used by other tools.
Grafeas maintains the integrity of metadata in a secure way. Once access control is defined, you don’t have to worry about metadata being incorrectly changed by unauthorized parties. That level of integrity makes the metadata generated by Grafeas useful for other purposes too, including for debugging errors.
It is also important to point out that the metadata generated by Grafeas is a step towards the right direction in complying with security standards like HIPAA. Since every part of the development and deployment process is logged, there is always a chain of evidence maintained by a highly reliable tool along the Kubernetes pipeline.
Scanning for code dependencies and security risks becomes easy with the metadata created and maintained. You can deploy Clair for monitoring purposes. At the same time, cloud service providers like Amazon also have their own scanning tools. AWS CodePipeline, for instance, automatically scans containers for known vulnerabilities.
You can then combine AWS CodePipeline with ECS and ECR to create a robust pipeline altogether. You can even go a step further and integrate Amazon CloudWatch and IAM permissions to further lock the Kubernetes pipeline down.
Monitoring and Testing
With the metadata attached to each task that travels along the CI/CD pipeline, the next part of the process is using that metadata for monitoring purposes. CircleCI, another popular tool for creating a save cloud environment and securing CI/CD workflows, has a number of testing tools that further automate the process.
CircleCI integrates well with GitHub and Bitbucket. It can automatically pull new codes whenever they are committed to your repo. Once codes are scanned for potential vulnerabilities, automatic tests are run against the code in a predetermined environment. Yes, it is fully automated. CircleCI creates and maintains the container that is used for testing.
There is an interactive dashboard and push notifications, allowing for test results to be integrated back into the CI/CD workflow. When vulnerabilities are detected, the entire DevOps team can immediately focus on addressing the issues and restarting the testing process.
CircleCI excels in another department: automatic deployment. Once iterations pass the rigorous testing cycles, they get deployed to the production server immediately. Many DevOps experts believe that this automation—from testing to deployment—is what makes this tool so useful. Rather than being a bottleneck, security tests—and security as a whole—is an integrated part of the process.
When you have a secure Kubernetes (or CI/CD) pipeline, you are actively mitigating more risks earlier in the process. Rather than waiting until something fails or a catastrophic error appears, the integration of security allows for a smoother, more effective CI/CD workflow.
This post was originally published here.
Published at DZone with permission of Agustin Romano. See the original article here.
Opinions expressed by DZone contributors are their own.