The continuing rise of Kubernetes analysed: Security struggles and lifecycle learnings

Analysis The rapid adoption of container technology, DevOps practices, and microservices application architectures are three of the key drivers of modern digital transformation. Whether built in the cloud, on-premises, or in hybrid environments, containerisation has proved to be significantly more advantageous in terms of scalability, portability, and continuous development and improvement.

More recently, organisations have began to standardise on Kubernetes as their container orchestrator. Tinder recently announced the company is moving their infrastructure to Kubernetes. Soon after, Twitter announced its own migration from Mesos to Kubernetes.

While the reasons behind such a rapid adoption of Kubernetes has been well documented, security issues remain one of the biggest concerns for organisations. When you ignore your container and Kubernetes security, you might find yourself in the headlines for all the wrong reasons—just ask Tesla.

To better understand the trends in container and Kubernetes security and adoption, we conducted a survey of over 200 IT security and operations decision makers in November of 2018. We recently repeated the survey across nearly 400 individuals in security, DevOps, and product teams to gain additional insights into how organisations are adopting container technologies and how their security concerns have evolved.

The results are aligned with the prediction from Gartner that by 2022 more than 75% of global organisations will be running containerised applications in production – a significant increase from fewer than 30% today.

Kubernetes adoption grows by 50% in first half of 2019

Originally built by Google—based on the lessons learned from the Borg and Omega projects—Kubernetes was open-sourced in 2014 as a platform for automating deployment, scaling, and management of containerised applications. Google partnered with the Linux Foundation to form the Cloud Native Computing Foundation (CNCF) to manage the Kubernetes open-source project.

In an early sign of Kubernetes going mainstream, in 2016 Niantic released the massively popular mobile game Pokémon Go, which was built on Kubernetes and deployed in Google Container Engine. At launch, the game experienced usability issues caused by a massive user interest in U.S—the number of users logging in ended up being 50x the original estimation, and 10x the prediction for worst case scenario. By using the inherent scalability advantages of Kubernetes, Pokémon Go went on to successfully launch in Japan two weeks later despite traffic tripling what was experienced during the U.S launch.

Since then, Kubernetes usage has taken off. In our original survey conducted in November of 2018, 57% of respondents said they were orchestrating their containers with Kubernetes, which was at the time already more than any other orchestrator in the market. When we conducted the survey again in July 2019, the percentage of survey respondents who said they use Kubernetes as their orchestrator grew from 57% to 86% – a 50% increase.

And despite the fact that all major cloud providers offer their versions of managed Kubernetes service—with a primary value prop of being easier use—a sizeable portion of Kubernetes users opt for self managing their clusters. This is because self-managed Kubernetes provides greater flexibility to porting an existing Kubernetes application to another environment that’s using Kubernetes.

Kubernetes and container security concerns increase in lockstep with adoption

Security concerns continue to be one of the primary constraints for using containers and Kubernetes. 2019 saw the discovery of several high-severity container and Kubernetes vulnerabilities, including the runC vuln, a k8s privilege escalation flaw, a DoS vuln, and several other vulns that were announced earlier this month as part  of a CNCF audit.

Most respondents identify inadequate investment in security as their biggest concern about their company’s container strategy. Moving to a containerised/microservices architecture introduces several new container and Kubernetes security considerations, and existing security tooling isn’t suitable to address them.

Organisations need dedicated security controls purpose-built for containers, Kubernetes, and microservices, to meet their security and compliance obligations. For example, unlike traditional waterfall method of application development, modern app dev methodologies rely on continuous integration and continuous delivery (CI/CD) where security controls must be deeply embedded in the CI/CD pipeline for it to be effective.

Once again, respondents identified runtime as the life cycle phase that organisations are most worried about; however, most organisations understand that runtime failures are a function of missed security best practices during the build and deploy phases. Not surprisingly, more than half (57%) of respondents are more worried about what happens during the build and deploy phases. In other words, users realise they must "shift left" in their application of security best practices to build it right the first time.

Containers and Kubernetes are running everywhere

One of the interesting findings of the survey report was how diverse container and Kubernetes environments tend to be. While 70% of respondents run at least some of their containers on-premises, 75% of those running on-premises are also running some in the cloud, which means that any workable security solution has to span both environments.

Today, more than half of respondents (53%) are running in hybrid mode compared to 40% at the end of 2018. As a result, the percentage of organisations running containers only on-premises has dropped nearly in half (from 31% to just 17%), while cloud-only deployments have remained steady.

As expected, AWS continues its market dominance in container deployments, followed by Azure. Google comes in third but has gained considerable market share, growing from 18% to 28% over six months.

DevSecOps – not just a catchy term

Traditional security processes can become a barrier when building software using DevOps principals. The increasing complexity of security threats facing enterprises is leading to DevSecOps playing a crucial role.

Across all operations roles, the allocation of management responsibility by role remained consistent, but the jump in those citing DevSecOps as the responsible operator for container security is significant.

When isolating only those survey respondents who are in a security or compliance role, there is an even larger jump in allocation of responsibility to DevSecOps – 42% of respondents in a security or compliance role view DevSecOps as the right organisation to run container security programs.

Final thoughts

Despite the fact that container security is a significant hurdle, containerisation is not slowing down. The advantages of leveraging containers and Kubernetes—allowing engineers and DevOps teams to move fast, deploy software efficiently, and operate at unprecedented scale—is clearly overcoming the anxiety of security concerns.

Organisations are charging ahead with moving their containers to production. The percentage of organisations with more than 50% of their containers running in production environments has increased from 13% to 22% – a growth rate of 70%. In the same six months, those running less than 10% of their containers in production has fallen from 52% to 39%.

Organisations shouldn’t treat security as an afterthought. Unlocking the benefits of cloud-native technologies while maintaining strong security for mission critical application development infrastructure requires protecting the full container life cycle – across build, deploy and runtime phases.

https://www.cybersecuritycloudexpo.com/wp-content/uploads/2018/09/cyber-security-world-series-1.pngInterested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.