Earlier this year at KubeCon in Copenhagen, the message from the community was resoundingly clear: “this year, it’s about security”. If Kubernetes was to move into the enterprise, there were real security challenges that needed to be addressed. Six months later, at this week’s KubeCon in Seattle, we’re happy to report that the community has largely answered that call.
In general, Kubernetes has made huge security strides this year, and giant strides on Google Cloud. Let’s take a look at what changed this year for Kubernetes security. Where developers go, hackers follow.
This year, Kubernetes graduated from the CNCF, and it also earned another badge of honor: weathering its first real security attacks. Earlier this year, several unsecured Kubernetes dashboards made the news for leaking cloud credentials. At the time, Lacework estimated there of over 20,000 public dashboards, 300 were open without requiring any access credentials.
(Note that Google Kubernetes Engine no longer deploys this dashboard by default.) Elsewhere, attackers added binaries to images on Docker Hub to mine cryptocurrency, which were then downloaded an estimated five million times and deployed to production clusters. The majority of attacks against containers, however, remain “drive by” attacks—where an attacker is only interested in finding unpatched vulnerabilities to exploit.
This means that the best thing you can do to protect your containers is to patch: your base image, your packages, your application code—everything. We expect attackers to start targeting containers more, but since containers make it easier to patch your environment, hopefully they’ll have less success.