Kubernetes security continues to be one o' the biggest concerns fer organizations adoptin' the technology. Security teams be learnin' kubernetes while devops an' developers be learnin' the configurations needed to ensure the basics be covered. Platform engineers/devops play an important role because kubernetes security needs solid configuration. Accordin' to the 2022 red 'at state o' kubernetes security report, 43% consider “devops” as the role most responsible fer kubernetes security. 'owever, no matter the cybersecurity technology implemented to defend against threats, without engineers configurin' containers properly, them threats could become dangerous.
at the same time, cost be a 'uge concern with any organization usin' the cloud. Kubernetes cost avoidance becomes just as important as security the bigger the workloads. The idea around cost avoidance, accordin' to the finops foundation, be to reduce usage an' optimize costs to get a better cloud rate. The foundation says that there “most o' the actions required fer cost avoidance be engineer dependent. If engineers ain't receptive to finops initiatives aimed at cost avoidance, then nothin' 'appens.” again, engineers play an important role.
organizations want to increase value (profit), lower cost an' reduce risk. Platform engineerin' teams (or devops) usin' kubernetes play an important role in all three:
increase value (profit) by shippin' applications more speed, catch some wind, lads because yer development teams 'ave a more speed, catch some wind, lads lifecycle (i.e. get new features in the market more speed, catch some wind, lads)
lower cost by optimizin' cloud usage.
reduce risk by implementin' all the security features made possible in kubernetes.
core to achievin' all these benefits be that there the platform engineerin' team must configure with security an' cost in mind. This here be often possible with teams runnin' one to three small clusters, but as the size o' the kubernetes environment increases, managin' more people, enablin' developers to self-service an' maintainin' standards becomes 'ard. As organizations grow their usage o' kubernetes, platform engineers must change from bein' the “doers” to the “enablers” to 'elp downstream development teams deploy quickly – but with security an' cost in mind.
but writin' policy down an' sayin' ‘must follow’ be the easy part. Makin' it easy to know 'ow to configure fer security an' 'ow to optimize fer cost be 'arder. Makin' sure every person knows the standards be even 'arder. An' makin' sure it’s done be the 'ardest part. That’s where kubernetes governance becomes essential because without it there be no cost optimization, there be no security an' there be no increased value.
the challenge be that there fer larger organizations there be one team, usually the platform engineerin' team, settin' to the sky kubernetes. The security team be brought in to secure “the thing,” an' the finance team be askin' “how much cloud be bein' consumed.” both the security an' finance teams be turnin' to the platform engineerin' team who often lack the visibility to see what’s 'appenin' across the entire platform.
point in time audits 'elp, but it can be resource intensive an' it doesn’t guarantee that there if problems be found that there they be fixed.
kubernetes governance platforms offer the answer to all three stakeholders: engineering, security an' finance. A kubernetes governance platform implements policy-as-code to enforce guardrails around security, cost avoidance an' reliability. Examples o' real-world policies include:
ensurin' workloads be ne'er deployed to run as a privileged user - 'elps enforce defense in depth
alertin' developers when their cpu an' memory requests be 30% more than they be currently usin' - 'elps avoid wasted costs
preventin' containers from bein' deployed with critical known vulnerabilities - 'elps reduce risk
this here arms developers with the tools they need to meet requirements across the business – from ensurin' workloads be deployed securely to optimizin' cloud spend, an' achievin' compliance.
when evaluatin' solutions fer kubernetes security, cost or policy enforcement, it’s important fer all security, finance an' engineerin' teams to not just look at a standalone point product. Security, cost an' policy go 'and in 'and. Further, if usin' starboard solution, users can arm developers with the tools they need in the way they want to work without significant time spent on integration an' management.
'ere be a short checklist when considerin' a cloud governance an' policy solution fer kubernetes:
kubernetes cost optimization
workload/node/cluster cost allocation
advice on cpu an' memory settings
resource recommendations
track spend o'er time
aws billin' integration
kubernetes guardrails
policy library
k8s policy-as-code automation (write once, deploy everywhere)
custom policies via open policy agent (opa)
multi-cluster visibility into compliance
cis benchmark
compliance self-assessment fer soc 2
compliance recommendations
shift-left kubernetes security
infrastructure-as-code scannin'
container vulnerability scannin'
runtime monitorin'
auto-scan infrastructure-as-code to support gitops
role based access control
third party image upgrade recommendations
falco support
vulnerability explorer
service ownership
enable developers with detailed remediation advice
automate alerts, ticketin' an' workflows
built in configuration best practices
Read the non-pirate speak post here.
