Securing Kubernetes with CIS Benchmarks

The Center for Internet Security (CIS) has developed a massive range of security standards. These Benchmarks cover a variety of technologies, ranging from physical hardware to operating systems like Windows and Linux, cloud providers like GCP, AWS or Azure, and even objects like printers and mobile devices. The chances are, if you’re looking for vendor-agnostic security standards, CIS has something for you.

They do this by working with a worldwide community of cybersecurity professionals who develop benchmarks collaboratively in their areas of expertise. This means the security best practices contained in the benchmarks are not at the whim of one individual or group, but based on the expertise and experience of many professionals – those who’ve got skin in the game.

The Wild West

We recently heard someone describe Kubernetes as being ‘like The Wild West’. It’s an interesting analogy, because once upon a time the Western areas of the United States were areas for great progress, freedom and innovation. Areas for fresh starts and not having to be confined by the existing order of things.

However there was also the small matter of law and order, where ‘The Wild West’ is so often shown as a lawless free-for-all, with no defined boundaries of behaviour or practice. 

While Kubernetes is pushing a new innovative way of working, not confined or restricted by previous ways of viewing workloads and computing, it is not a lawless frontier and should not be treated as such. New ways of working do not always mean moving away from established concepts, especially concepts like security best practices. 

The problem comes when new ways of working outsrip the security understanding or invalidate security practices. Obviously certain ideas which apply to things like multifunction printers or mobile devices can’t be expected to apply to non-persistent infrastructure like Kubernetes or containerised workloads. There is a requirement for specific and appropriate guidelines.

The good news is that the growth and development of Kubernetes is no longer outpacing the ability to effectively secure and run it. There are no excuses for slapdash security, especially now that there are solutions which can provide vulnerability assessment and issue remediation at the click of a button.

Security begins at dev

Building with Kubernetes needn’t be a wild and loose affair when it comes to security. There’s no need to hope that your developments are secure. With Runecast as your CNAPP platform, your security can shift left and encompass your development workloads. The same security that’s present in your production environments can now be present in your development environments too.

Runecast provides checks on cluster roles, cluster bindings, nodes, names and spaces, and pods and now in our latest release we’ve included container image scanning. 

Beyond that, Runecast is able to act as an admissions controller with your CI/CD pipeline, meaning that every image called is checked by Runecast first. In a matter of seconds your workloads are assessed against your admissions policy, for example against known critical vulnerabilities. If they’re clear, they’re admitted. If they’re not, then the image is refused – and you’re able to see why.

The next step would be remediation. Knowing which issues are present in your container or node enables you to fix them. Runecast generates remediation scripts applicable directly to your environment and infrastructure, in both Ansible and PowerCLI format. And of course, as Runecast shows you the vulnerability or security risk, it shows you all the information available, including steps you need to take, direct from CIS.

‍Runecast automates audits against CIS Benchmarks for Kubernetes, so that you can scan your configuration in just a few minutes. Even better, Runecast also includes checks against CIS Benchmarks – within the same platform – for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), VMware, Windows and Linux.

Runecast shows you both Level 1 and Level 2 recommendations from CIS, for all of our supported technologies. This means you can have the same confidence in your Kubernetes environment as you do, for example, in your VMware environment, your AWS and your Operating Systems. All of the analysis takes place on-prem within the platform, without any sensitive data leaving your environment. 

If you’re ready for 21st Century security, that covers all of your workloads with the knowledge of a worldwide community of experts, you want Runecast.