Skip to main content
banner image
venafi logo

Kubernetes Certificate Security: What You Need to Know

Kubernetes Certificate Security: What You Need to Know

kubernetes certificate security
April 20, 2020 | Anastasios Arampatzis

 

What are Containers?

A container is a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.
 

Containers are a solution to the problem of how to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environment, from a staging environment into production, and perhaps from a physical machine in a data center to a virtual machine in a private or public cloud.
 

Figure 1:Container Evolution. Source: Kubernetes


Put simply, a container consists of an entire runtime environment: an application, plus all its dependencies, libraries and other binaries, and configuration files needed to run it—bundled into one package. By containerizing the application platform and its dependencies, differences in OS distributions and underlying infrastructure are abstracted away.
 

Containers are similar to Virtual Machines (VM), but they have relaxed isolation properties to share the Operating System (OS) among the applications. Therefore, containers are considered lightweight. Similar to a VM, a container has its own filesystem, CPU, memory, process space, and more. As they are decoupled from the underlying infrastructure, they are portable across clouds and OS distributions.



 

Benefits of Containers and Kubernetes

Containers, especially when orchestrated using Kubernetes, have become popular because they provide a handful of benefits, including:
 

  • Agile application creation and deployment: increased ease and efficiency of container image creation compared to VM image use.
  • Declarative configuration that enables security as code.
  • Continuous development, integration, and deployment: reliable and frequent container image build and deployment with quick and easy rollbacks (due to image immutability).
  • Dev and Ops separation of concerns: create application container images at build/release time rather than deployment time, thereby decoupling applications from infrastructure.
  • Environmental consistency across development, testing, and production: Runs the same on a laptop as it does in the cloud.
  • Cloud and OS distribution portability: Runs on Ubuntu, RHEL, CoreOS, on-premises, on major public clouds, and anywhere else.
  • Robust open source developer community with support from large and small companies
     

Security Risks of Containers

 

Despite their obvious benefit, containers and Kubernetes introduce several new security considerations that make that security mission more challenging.
 

Containers are numerous and everywhere creating security blind spots and increasing the attack surface. As more containers are deployed, maintaining adequate visibility into your critical cloud-native infrastructure components becomes more difficult.
 

Further, containers need to talk to each other within the deployment as well as to other endpoints to properly function. As a result, we must monitor both north-south and east-west traffic. If a container is breached, the attack surface is directly related to how broadly it can communicate with other containers and pods.
 

In addition, Kubernetes offers rich configuration options, but default settings are usually the least secure. In keeping with DevOps principles, Kubernetes is designed to speed application development, not to isolate its components. Another configuration risk relates to how secrets such as cryptographic keys are stored and accessed, a discipline called secrets management. IT security teams must ensure that secrets are not being loaded as environment variables but are instead mounted into read-only volumes in the containers.
 

Finally, while the continuous improvement and continuous delivery (CI/CD) model enabled by containers and Kubernetes is a core benefit of the cloud-native stack, this model also introduces challenges in complying with internal policies, best practices, and external policy frameworks.
 

Adding certificates to the mix creates additional challenges. Certificate renewal happens on a different cadence than application updates. New software versions may be released on a monthly or quarterly basis, but certificates need renewal annually. When application development ceases, certificate renewal still must occur for as long as the application is being used.
 

In addition, certificates are managed by different parties. Certificates may be purchased from public certificate authorities or may be issued from an internal private Public Key Infrastructure (PKI); in either case, the people responsible for acquisition or issuance are typically not the developers and may not be the IT operations folks.
 

Certificates and Kubernetes

 

As DevOps and virtualization continue to grow, we need to consider the security and integrity of these fast-moving environments. Specifically, when it comes to containers such as Kubernetes, businesses are increasingly challenged to secure use cases that leverage this technology. This includes ensuring strong identity for management of containers and general cryptography i.e., TLS sessions or encryption.
 

Although several methods employ container identity (and security), leveraging digital certificates as machine identities is the best possible method to secure these virtual environments. However, the fast, elastic nature of containers makes them unfeasible for manual certificate management methods. Therefore, certificate services teams charged with securing virtual, containerized systems should use machine identity solutions with built-in integrations to secure these environments.
 

As DevOps dramatically increases the number of machines (including virtual machines, service mesh and containers), the need for a standardized approach to certificates becomes essential. When DevOps teams use inconsistent solutions for certificates, it increases complexity and creates lock-in to DevOps tooling and cloud providers. This often results in the use of rogue certificates, unauthorized certificate authorities (CAs) and application downtime caused by poorly configured or expired certificates.
 

Until now, the process of incorporating trusted certificates into DevOps environments has been relatively slow and complicated. As a result, organizations adopting cloud services and containers have increasingly had to choose between agility and security. Developers spend valuable time either creating security infrastructure or waiting for certificates, both of which delay innovation.
 

Accelerate Kubernetes Certificates

The solution to overcome many of these challenges is to employ a common service for certificates via an API that is integrated with DevOps tooling. A solution such as Venafi’s Cloud DevOps ACCELERATE, would improve security and availability, ensure compliance, and accelerate software development by reducing complexity. In addition, it would define and enforce enterprise security policy for issuance and use of certificates-as-code with prebuilt DevOps tooling and cloud provider integrations.
 

Such a solution is easy for the development teams to adopt and use since it uses prebuilt open source integrations for the modern application stack, scales certificate issuance as part of CI/CD pipelines and secures Kubernetes containers to harden applications in zero-trust environments with prebuilt integrations. In addition, it allows the request of policy-compliant certificates from third-party CAs and built-in CA with native integration with Kubernetes through the Jetstack cert-manager.
 

Container Certificate Protection is a “Must-Have”

 

As dependence on machine identities increases, so does the impact of an operations or security incident. Security leaders can increase operational efficiency and security by using full life cycle management for complex environments such as Kubernetes containers.
 

Investment in machine identity management that covers the full certificate life cycle, such as that provided by Venafi, is no longer a “nice-to-have” rather a “must-have.” This is especially true in especially in multiple-certificate-based enterprise use cases such as containers.
 

How well are you managing machine identities for your organization’s containers?



 

 

 

Related posts

Like this blog? We think you will love this.
devsecops-security
Featured Blog

Applying Identity to DevSecOps Processes

Identity Means Secrets

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more