DEV Community

Jan Schulte for Outshift By Cisco

Posted on

Exploring Managed Kubernetes and the Integration of CNAPP

As a cloud-native app developer, you likely use Kubernetes to help you orchestrate and operate many moving pieces. To deploy, you might also use a managed Kubernetes environment from a cloud provider. The conveniences of managed Kubernetes are numerous. But so are the accompanying security challenges.

The complexity of many Kubernetes resources—such as networks, VMs, and pods—is abstracted away, obscuring many security vulnerabilities across a vast attack surface. What does this mean for you? You’ll need a solution to help address the multiple security concerns that you might not be equipped to handle on your own.

That’s why we’re looking at the Cloud-Native Application Protection Platform (CNAPP). It’s an all-in-one tool that can holistically address the security challenges of a managed Kubernetes infrastructure. With it, you can protect your cloud infrastructure, dedicated VMs, serverless, and Kubernetes applications.

Let’s start with the basics.

What Is Managed Kubernetes?

Kubernetes orchestrates your application containers. You can use Kubernetes to deploy bespoke infrastructure to an environment, and it will help your application scale vertically and horizontally.

Most major cloud providers offer a managed Kubernetes solution. In this approach, you can offload a sizable portion of the operational complexity, depending on the cloud provider that runs the control plane. For many software devs, this also makes sense from a security perspective—you can offload security concerns and implement best practices by default (such as keeping the control plane up to date and allowing it to scale appropriately).

Some examples of managed Kubernetes offerings include:

However, just because you can offload some of your security concerns to your managed Kubernetes provider, this doesn’t mean all your security problems are solved. Let’s remember that, in a managed Kubernetes cluster, security is critical:

  • Clusters can be accessible from the internet via a public-facing ingress.

  • Clusters can run sensitive workloads, handling financial transactions or processing customer information.

  • Even in a managed offering, Kubernetes has multiple attack vectors (such as networking, compute, and the Kubernetes API layer).

A CNAPP can mitigate the additional security concerns. Just as control plane management may be better left to the experts (the cloud provider), the CNAPP takes on the role of expert security engineers.

What a CNAPP Offers Software Developers

There are many things that a CNAPP brings to the table, so let’s highlight its important functions, especially as they relate to developers using managed Kubernetes.

Single source of truth

Tool sprawl is a thorn in the side of most DevOps teams. When you build up an overflowing box of tools—one to handle this job, one to handle that job, and many that partially overlap in function—frustration abounds.

Using multiple security tools forces engineers to reconcile information across systems. This adds to their mental load and slows down productivity. On top of this, tool sprawl can lead to security gaps. With so many tools in its toolbox, a team might mistakenly assume that surely one of those tools has security challenge X covered. But what if their assumption is wrong?

A CNAPP offers teams a reliable, single platform to handle the security of their entire Kubernetes cluster. The CNAPP can help them identify threats, elevating the most relevant or pressing risks to the top so that teams don’t drown in noise. One platform, which bundles many security tools together in a unified offering with a single UI, can bring clarity to your managed Kubernetes security.

Automated compliance controls

For many organizations, maintaining compliance is crucial. There are lots of reasons why:

  • To avoid financial penalties or damaged business reputation for mishandling data

  • To win or retain contracts with government agencies or similarly regulated industries

  • To demonstrate responsibility through accountability to customers or regulatory bodies

To validate their compliance, most organizations depend on reports and automated software checks, which are benchmarks CNAPP can help guarantee. Kubernetes Security Posture Management (KSPM) is a key offering from many CNAPPs, guiding what security controls will help reduce security risks. KSPM can also enforce policies or highlight vulnerabilities, giving your company the tools to comply.

How CNAPPs Help with Managed Kubernetes Challenges

A managed Kubernetes cluster refers only to the control plane and additional plugins a cloud provider might offer. But cloud engineers must take responsibility for the remaining parts of the infrastructure. That’s how the shared responsibility model works. Identifying and visualizing security issues are not part of the managed offering—those responsibilities fall on the user.

As an example, let’s think about identity and access management (IAM). Even though you use managed Kubernetes with AWS EKS, you’re still responsible for properly configuring IAM roles and policies to secure access. IAM misconfigurations can be a huge headache for developers—especially those who aren’t accustomed to wearing the security professional hat.

What are some examples of IAM misconfigurations or poor practices?

  • Over permissioning: A user or service is given more permission to access a resource than is necessary to perform their task. This violates the principle of least privilege. For example, consider a service that needs S3 bucket read access to verify the presence of certain files. Giving that service DeleteObject permissions would be over permissioning.

  • Not using role-based access control (RBAC): Out of either expediency or ignorance, some developers may simply attach policies directly to an IAM user. Best practices would dictate the use of IAM roles instead, offering a more organized approach to access management while reducing the risk of unauthorized actions.

  • The dreaded Allow *: This is a specific case of over permissioning that’s likely the result of expediency (or laziness). When crafting an IAM policy, the Allow effect is coupled with the * action, essentially saying, “Allow this person to do anything they want.” You would be surprised how many developers are guilty of having done this.

Among the many ways that a CNAPP will protect your cloud-native applications and environments, it bundles in Cloud Security Posture Management (CSPM) to monitor for and identify cloud misconfiguration vulnerabilites in your multi-cloud (and hybrid-cloud) environments. Your cloud-native application will be chock-full of security policies—as they should be. But are your policies properly written and configured?

In addition to IAM policy misconfigurations, a CNAPP with CSPM will detect:

  • Use of default cloud security settings, which are often insecure.

  • Publicly exposed data storage buckets, containers, or assets

  • Data storage configurations without encryption in place

  • Authentication setups without MFA

  • … and more.

Bundle in Kubernetes Security Posture Management (KSPM), and your CNAPP will also detect Kubernetes cluster misconfigurations that could lead to additional security vulnerabilities and threats.

Securing Your Managed Kubernetes Setup with Panoptica

Panoptica’s CNAPP solution makes securing a managed Kubernetes cluster easy, offering:

  • Automatic security configuration for multi-cloud managed Kubernetes

  • Enforcement of the principle of least privilege

  • A single, centralized platform with a user-friendly interface

  • Rich visualizations with actionable guidance, reducing noise and eliminating alert fatigue

  • Attack path analysis and use of MITRE’s ATT&CK Framework for threat prioritization

Whether you run workloads within Azure, AWS, or GCP (or any other major cloud providers), Panoptica brings you easy, out-of-the-box support for all clusters. If supporting your customers entails running within multiple clouds, you can still enjoy centralized security with Panoptica.

When it comes to the security posture for a managed Kubernetes cluster, ensuring alignment across your teams can be challenging. Panoptica’s CNAPP allows you to enforce security best practices from one location. Installation is simple, using a single pod deployment (view the Helm chart).

Conclusion

Although managed Kubernetes reduces the amount of overhead needed to run a Kubernetes cluster within the cloud, it certainly doesn’t eliminate it. Part of what’s left for you to deal with is managing and securing the applications running within the cluster. Instead of cobbling together multiple, disparate tools to wrangle multiple security concerns, Panoptica provides automation and container security for developers and engineers alike.

If you’re interested in leveling up your managed Kubernetes security, sign up to use Panoptica for free, and explore how Panoptica’s CNAPP will make your cluster safer.

Top comments (0)