The New Stack Context: Operators Can Be a Security Hazard

Spread the love

A few years back, Kubernetes was in full development and many of its basic concepts were still evolving, so security was not a huge priority. But as K8s deployments have moved into production, more attention is being focused in securing Kubernetes and its workloads. Gadi Naor has been following Kubernetes security from the start. Alcide, the company Naor founded and now serves as CTO, offers an end-to-end Kubernetes security platform.
For this week’s episode of The New Stack Context podcast, we speak with Naor about a variety of Kubernetes security-related topics. Last week, Naor hosted a Kubernetes security webinar for the Cloud Native Computing Foundation, which in addition to offering many helpful hints, discussed in detail the spate of recent vulnerabilities found in Kubernetes. And for The New Stack, he wrote about the problem of configuration drift in Kubernetes, and why it can’t be solved simply through continuous integration tools.
TNS editorial and marketing director Libby Clark hosted this episode, alongside TNS senior editor Richard MacManus, and TNS managing editor Joab Jackson.

The New Stack: Context · Episode 128: Operators Can Be a Security Hazard
Subscribe: SoundCloud RSS | Soundcloud | | Pocket Casts | Stitcher | Apple Podcasts | Overcast | Spotify | TuneIn | Castro
One of the most surprising parts of the conversation was when Naor had explained his worries about operators, a framework increasingly used to manage complex applications on Kubernetes:
If someone is basically building an operator to deploy a single instance of an application, that’s a wrong use for an operator. You would be way better using Helm charts or customized resources and push stuff to a cluster. Operators run normally as extremely privileged components, from an audit perspective, which means they become a weak link inside your cluster. I try to scan it in [continuous integration] but it means nothing to all the tools because it’s very vendor-specific, irresponsibly-vendor specific. You end up running with something that actually weakens your Kubernetes security posture. So at the end of the day, it makes a lot of sense to create an operator [for Prometheus] because it automates a lot of the wiring of your monitoring systems. And it does that very elegantly. But you have security vendors, which I will not name, that use the operator to deploy a single instance, and is abusing this notion [of an operator].
Other topics discussed include:

The growing time it takes to disclose new vulnerabilities.
Vulnerabilities in the control plane versus those on the node.
Vulnerability management in self-managed Kubernetes vs. managed Kubernetes.
Why Kubernetes Operators are a security risk.
 Configuration drift in Kubernetes.
The importance of continuous delivery for Kubernetes security.
Why a managed platform may catch a security error that most roll-your-own distributions would miss.
The motivation for starting Alcide.

Then, later in the show, we take a look at some of The New Stack‘s top posts from the week:

New Kubernetes EBook! Learn the Latest in Kubernetes Deployments and Trends
How AI Observability Cuts Down Kubernetes Complexity
Google’s Management of Istio Raises Questions in the Cloud Native Community
Alex Williams’ Op-Ed: Kubernetes May Be Google’s Last Great Open Project
This Week in Programming: Clearing up any Confusion around Kubernetes Operators.

At this time, The New Stack does not allow comments directly on this website. We invite all readers who wish to discuss a story to visit us on Twitter or Facebook. We also welcome your news tips and feedback via email: [email protected]
The post The New Stack Context: Operators Can Be a Security Hazard appeared first on The New Stack.

X ITM Cloud News


Leave a Reply

Next Post

Clusterapi love for proxmox

Fri Jul 31 , 2020
Spread the love          Anyone got any recommendations for a good kops alternative for the proxmox fanclub? Everything seems just for cloud providers and would love to get a full gitops based homelab. My current hack job is the proxmox tf provider however this can’t handle os patches or dynamic scaling. Thoughts? […]

Cloud Computing – Consultancy – Development – Hosting – APIs – Legacy Systems

X-ITM Technology helps our customers across the entire enterprise technology stack with differentiated industry solutions. We modernize IT, optimize data architectures, and make everything secure, scalable and orchestrated across public, private and hybrid clouds.

This image has an empty alt attribute; its file name is x-itmdc.jpg

The enterprise technology stack includes ITO; Cloud and Security Services; Applications and Industry IP; Data, Analytics and Engineering Services; and Advisory.

Watch an animation of  X-ITM‘s Enterprise Technology Stack

We combine years of experience running mission-critical systems with the latest digital innovations to deliver better business outcomes and new levels of performance, competitiveness and experiences for our customers and their stakeholders.

X-ITM invests in three key drivers of growth: People, Customers and Operational Execution.

The company’s global scale, talent and innovation platforms serve 6,000 private and public-sector clients in 70 countries.

X-ITM’s extensive partner network helps drive collaboration and leverage technology independence. The company has established more than 200 industry-leading global Partner Network relationships, including 15 strategic partners: Amazon Web Services, AT&T, Dell Technologies, Google Cloud, HCL, HP, HPE, IBM, Micro Focus, Microsoft, Oracle, PwC, SAP, ServiceNow and VMware