Presenters
Source
Shifting Left to Secure Your Kubernetes Kingdom: A Kano Story 🏰🛡️
Hey tech enthusiasts! Ever felt like security in Kubernetes is a constant game of whack-a-mole? You patch one vulnerability, and two more pop up. It’s a feeling many of us have experienced, and it’s precisely why the concept of “shifting left” has become so crucial in our development workflows. This presentation dives deep into how we can proactively secure our Kubernetes clusters, before any sneaky vulnerabilities can make their way into production.
Let’s break down the key takeaways and explore how we can build a more secure Kubernetes future.
The Common Pitfalls in Our Kubernetes Journey 🚧
Our journey with Kubernetes, while incredibly powerful, isn’t always smooth sailing. The speaker highlighted some common stumbling blocks that can lead to unexpected issues:
- The “Latest” Tag Trap 🏷️: Ever deployed something and realized it wasn’t
quite what you intended? This often happens when pipelines use the ambiguous
latesttag for container images. It’s a recipe for deploying the wrong version, leading to confusion and potential instability. - Resource Starvation Syndrome 📉: Pods suddenly crashing without a clear reason can be a sign of resource starvation. This frequently occurs when resource limits (CPU and memory) aren’t explicitly defined in pod specifications, leaving them vulnerable to being starved of essential compute power.
- Security Blind Spots 👁️: Security teams often flag critical issues that might fly under the radar during development. Think about running containers as root users or pulling images from untrusted public repositories – these are serious security misconfigurations that need addressing early.
The CIS Benchmarks: Our Security North Star ⭐
To combat these issues, the Center for Internet Security (CIS) has provided a set of invaluable best practices designed to harden our Kubernetes clusters. These CIS Benchmarks are our guiding light towards a more secure environment.
However, the sheer scale of these benchmarks can be daunting. With an estimated 64 policies to consider, manually verifying compliance across potentially thousands of clusters is, frankly, an insurmountable task. This is where automation comes in.
Introducing Kano: Your “Shift-Left” Security Superhero 🦸
To tackle the manual verification nightmare, the session introduced Kano, an incredible open-source framework that automates CIS checks with a powerful “shift-left” architecture. Kano implements a three-stage validation process, ensuring security is baked in from the very beginning:
1. Plan-Time Validation: Building on Solid Ground 🏗️
This is where Kano truly shines by intercepting your infrastructure-as-code (IaC) tools before any resources are even provisioned.
- How it works: Kano integrates with tools like OpenTofu (or Terraform).
It converts your
terraform planoutput into JSON, allowing it to scan your infrastructure blueprint for compliance. - The Impact: This proactive approach prevents insecure configurations, such as exposed EKS cluster endpoints or disabled audit logging, from ever making it into your environment. Imagine catching these critical flaws before they even have a chance to exist!
2. Deployment-Time Validation: The Gatekeeper 🚪
As your applications are being deployed, Kano acts as a vigilant gatekeeper within Kubernetes itself.
- Admission Control: Kano leverages mutating admission controllers to enforce security defaults. This means it can automatically apply secure configurations, like preventing non-root user usage, without you having to manually intervene.
- Blocking Violations: It also uses validating admission controllers to actively block any pods that violate your defined security policies. No more accidental deployments of insecure workloads!
3. Runtime Validation: The Final Watchdog 🐕
While Kano’s primary focus is on plan and deployment time, a node scanner is also available.
- DaemonSet Power: Deployed as a DaemonSet, this scanner performs checks at runtime, looking at things like file permissions and audit configurations on your nodes. This provides an extra layer of assurance.
Kano in Action: A Practical Demonstration 🎬
The speaker provided a compelling live demonstration that brought Kano’s capabilities to life:
- The Non-Compliant Pod: A test was conducted by attempting to deploy a pod with root privileges to a fresh Kind cluster.
- Kano to the Rescue! Upon installing Kano (version 1.15.2 was highlighted) and applying specific policies (including 49 CIS checks), the deployment of the non-compliant pod was immediately blocked. Clear and informative validation error messages were provided, guiding the user towards compliance.
- Success with Compliance: Subsequently, a compliant pod was successfully deployed, showcasing Kano’s ability to allow secure workloads.
- Validating IaC Plans: The
kano jsoncommand was used to validate OpenTofu plans, demonstrating how Kano flags non-compliant resource configurations before they are even provisioned. - CI/CD Integration: The power of automation was further amplified by integrating these checks into a GitHub Actions pipeline, creating a seamless security validation process from the IaC planning stage all the way through to deployment.
Clarifying the Policy Landscape 🗺️
A key point of discussion during the Q&A clarified an important aspect: while
OpenTofu is used to generate the cluster plan, the security policies
themselves are written in Kano’s dedicated policy language (using
kind: ValidationPolicy). OpenTofu’s role is strictly for provisioning the
infrastructure, and Kano then meticulously scans the resulting plan against your
defined policies.
Embracing a Secure Kubernetes Future ✨
The message is clear: by adopting Kano and its automated security checks, organizations can move towards achieving compliant and secure Kubernetes clusters with unprecedented efficiency. This “shift-left” approach isn’t just about ticking boxes; it’s about fundamentally embedding security into the core of our development lifecycle.
Let’s embrace Kano and build a more secure and robust Kubernetes ecosystem, one proactive check at a time! 🚀💡👨💻🤖🦾🌐🛠️👾🎯✨💾📡