DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. DevOps and CI/CD
  4. Securing Your Kubernetes Pipeline

Securing Your Kubernetes Pipeline

Kubernetes has to be safe from end to end, from application security itself to continuous monitoring after deployment.

Agustin Romano user avatar by
Agustin Romano
·
Sep. 05, 19 · Opinion
Like (3)
Save
Tweet
Share
6.47K Views

Join the DZone community and get the full member experience.

Join For Free

Image title

Security, from end to end

Several elements are crucial to an effective and efficient CI/CD workflow. A cloud-native app designed to take advantage of containers and other cloud-native features is certainly one of those elements. A capable cloud infrastructure with containers configured for maximum performance is another. To complete the set, you need cloud-native tools to manage the CI/CD workflow from start to deployment.

Setting up these basic elements is easy. You can turn to AWS, for example, and its cloud services to create a robust cloud environment that integrates well with your CI/CD pipeline. You can also optimize Kubernetes and pods within a containerized framework to streamline deployment and updates.

You may also enjoy: Securing Your Kubernetes Deployment [RefCard]

The real challenge is tracking changes made to the app from start to finish. An unsecured line of code or a bad deployment method can jeopardize the entire CI/CD pipeline. This concern isn’t to be taken lightly either because Kubernetes doesn’t offer full security management by nature. This is something you have to do yourself.

So, what is the best way to secure your Kubernetes pipeline? Let’s find out.

Secure Application Delivery

Automation is the answer to this challenge. It is nearly impossible to track changes manually, so you have to automate some parts of the process for maximum efficiency. This is done by integrating security compliance into the development and deployment processes. To be able to take this step, however, you have to define clear security and compliance policies first.

Integrating security and compliance as early in the pipeline as possible is also highly recommended. This means securing not just the app or code, but also the CI/CD pipeline itself. Fortunately, there are more ways to achieve this.

You can, for instance, use the IaC approach to create a standardized deployment stack. Since infrastructure is baked into the deployment package, it is much easier to make sure that a consistent cloud infrastructure is maintained.

Another approach is adding (and enforcing) security policies, which we will get to in a second. Using tools like Kritis, Ops can enforce security policies at a much early stage in the development process. The policies govern how new updates and micro-services are deployed.

Whichever method you choose to use, you want to integrate it in the early stages of the CI/CD pipeline. This way, security issues can be caught early, and proper fixes can be introduced into the pipeline at a much faster rate. That’s how you create a more secure pipeline while preventing security from becoming a bottleneck.

Active Scanning of Codes and Containers

As mentioned before, there are more tools to use if you want to create a secure Kubernetes pipeline. It’s important to complete image scanning with open source image scanning tools, both in private repositories, and as part of a CI/CD pipeline validation step. When integrating code scanning, you can now start by managing artifact metadata using Grafeas. Metadata attached to the CI/CD task allows for more comprehensive tracking of the process. Grafeas as a tool is also universal, so the metadata generated by Grafeas can be used by other tools.

Grafeas maintains the integrity of metadata in a secure way. Once access control is defined, you don’t have to worry about metadata being incorrectly changed by unauthorized parties. That level of integrity makes the metadata generated by Grafeas useful for other purposes too, including for debugging errors.

It is also important to point out that the metadata generated by Grafeas is a step towards the right direction in complying with security standards like HIPAA. Since every part of the development and deployment process is logged, there is always a chain of evidence maintained by a highly reliable tool along the Kubernetes pipeline.

Scanning for code dependencies and security risks becomes easy with the metadata created and maintained. You can deploy Clair for monitoring purposes. At the same time, cloud service providers like Amazon also have their own scanning tools. AWS CodePipeline, for instance, automatically scans containers for known vulnerabilities.

You can then combine AWS CodePipeline with ECS and ECR to create a robust pipeline altogether. You can even go a step further and integrate Amazon CloudWatch and IAM permissions to further lock the Kubernetes pipeline down.

Monitoring and Testing

With the metadata attached to each task that travels along the CI/CD pipeline, the next part of the process is using that metadata for monitoring purposes. CircleCI, another popular tool for creating a save cloud environment and securing CI/CD workflows, has a number of testing tools that further automate the process.

CircleCI integrates well with GitHub and Bitbucket. It can automatically pull new codes whenever they are committed to your repo. Once codes are scanned for potential vulnerabilities, automatic tests are run against the code in a predetermined environment. Yes, it is fully automated. CircleCI creates and maintains the container that is used for testing.

There is an interactive dashboard and push notifications, allowing for test results to be integrated back into the CI/CD workflow. When vulnerabilities are detected, the entire DevOps team can immediately focus on addressing the issues and restarting the testing process.

CircleCI excels in another department: automatic deployment. Once iterations pass the rigorous testing cycles, they get deployed to the production server immediately. Many DevOps experts believe that this automation—from testing to deployment—is what makes this tool so useful. Rather than being a bottleneck, security tests—and security as a whole—is an integrated part of the process.

When you have a secure Kubernetes (or CI/CD) pipeline, you are actively mitigating more risks earlier in the process. Rather than waiting until something fails or a catastrophic error appears, the integration of security allows for a smoother, more effective CI/CD workflow.

This post was originally published here.

Further Reading

Introduction to Kubernetes Security

Kubernetes Security Best Practices

Kubernetes Pipeline (software) security Continuous Integration/Deployment Metadata

Published at DZone with permission of Agustin Romano. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • SAST: How Code Analysis Tools Look for Security Flaws
  • What Is Policy-as-Code? An Introduction to Open Policy Agent
  • Mr. Over, the Engineer [Comic]
  • Why Open Source Is Much More Than Just a Free Tier

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: