Kubernetes skills demand continues to soar – but are organisations dropping the ball on security?

If you have Kubernetes skills then you will almost certainly be in demand from employers, as a new survey from CyberArk has found that IT jobs with the container orchestration tool in the title have soared year on year. But beware the security risks when getting involved.

According to the company, which has crunched data from IT Jobs Watch, roles involving Kubernetes have broken into the top 250 most popular IT vacancies, having been around the 1000 mark this time last year. The most likely job title for potential applicants is either DevOps engineer (40%) or developer (23%).

Regular readers of this publication will be more than aware of the initiatives taking place within the industry over the past year. The leading cloud providers are getting on board; Amazon Web Services (AWS) and Microsoft both made their managed Kubernetes services generally available this month, while back in March Kubernetes itself ‘graduated’ from its arbiter, the Cloud Native Computing Foundation (CNCF), recognising the technology’s maturity.

Those with product to shift are eating their own dog food, making their own internal process container-based. IBM, as John Considine, general manager of cloud infrastructure services, told CloudTech earlier this year, and Google, as Diane Greene told Cisco Live attendees last week, are but two examples. Alongside this, customers are putting containers at the forefront of their buying decisions; GoDaddy said as much when it was announced the hosting provider would be going all-in on AWS.

Yet with so many organisations going in at the deep end, there is a danger of getting into trouble when swimming against the tide.

In a report published this week (pdf), security firm Lacework assessed there were more than 21,169 publicly facing container orchestration platform dashboards out there. 300 of these dashboards were completely open. Whether Weight Watchers’ Kubernetes admin console, which researchers from Kromtech Security found earlier this month to be completely accessible without password protection, was included, we will of course not know. Another widely publicised story was around Tesla; back in February, research from RedLock found hackers had been running crypto mining scripts on unsecured Kubernetes instances owned by the electric car firm.

“During our research we learned that there are a lot of different ways to manage your containers, and that they are all incredibly flexible and powerful,” the Lacework report notes. “With each one you essentially have the keys to the castle from deployment, discovery, deletion, and manageability.

“We suggest that if you are a security professional and you don’t know you are running a container orchestration system, you should definitely find out ASAP.”

CyberArk offers a similar message of concern. “There is a very real danger that the rush to achieve IT and business advantages will outpace awareness of the security risks,” said Josh Kirkwood, CyberArk DevOps security lead. “If privileged accounts in Kubernetes are left unmanaged, and attackers get inside the control panel, they could gain control of an organisation’s entire IT infrastructure.

“Many organisations simple task the same DevOps hires – often with no security experience – to protect these new Kubernetes environments, in addition to the numerous other responsibilities they have to deliver,” added Kirkwood. “That’s no longer sufficient, and security teams need to get more closely involved to support the platform.”

According to the Lacework report, if you’re running Kubernetes you need to build a pod security policy, configure your pods to run read-only file systems and restrict privilege escalation. More general container advice doubles up essentially as good security practice; multi-factor authentication at all times, using SSL for all servers, and using valid certificates with proper expiration and enforcement policies.

So is it time to take a step back? If you have Kubernetes skills then you’re in a good place – but get some security smarts alongside it and you’ll be in an even better one.