Automation Security
• Image scanning — All the deployments should be controlled through an
automated CI/CD environment. At a high level, everything in Kubernetes
is deployed as a container image. When someone creates an application,
it ends up as a container image and gets added to the container registry.
The container image scanner needs to be part of the CI/CD pipeline.
When someone creates a container image, it needs to be continuously
scanned for vulnerabilities. You can do image whitelisting through an
admission controller in Kubernetes. If your application is using certain
images, those images need to be approved.
• Secret management — Your clusters also need to be integrated via
secret management systems, such as HashiCorp Vault. This ensures
application pods will automatically receive required passwords and
secrets at runtime, based on the AppRoles attached to the pods, This is
preferable to using unsecured methods to load secrets inside the
containers.
• Code analysis — Code scanning and static code analysis are also inte-
gral parts of automation security. When you are working on any applica-
tion code in Kubernetes, you should scan the source code to make sure it
does not have any vulnerabilities or any hard-coded anomalies.
Get Started
Kubernetes security is an evolving space. If you are building an enterprise solu-
tion, you need to pursue an end-to-end holistic security posture. There is no
one size fits all solution, but these best practices can lighten the load on orga-
nizations trying to build up their Kubernetes resources. Understanding how
best practices can enhance your application’s security will help move your
container orchestration processes several steps along the track.
FALL 2018 | THE DOPPLER | 41