top of page
Writer's picturePrajeesh Prathap

Securing AKS clusters - Build to Runtime

Updated: May 23, 2023

Containers, has become a major part of cloud native application development. A container is a standalone package of software files that contains everything you need to run an application, including the application’s code, dependencies, library, runtime, and system tools. Because of this, containers have made application development simpler, faster, and much more powerful. To manage containers, Kubernetes, an open-source platform, is used to make it easy to build an automated set of processes such as application development, deployment, and management.


Despite the benefits of using containers, security teams are being tasked with the new challenge of securing these new cloud-native applications. Unlike traditional compute environments, containerized applications are elastic, spawn, die and re-size rapidly. The container images are immutable, and containers are short-lived, meaning that vulnerabilities are required to be fixed early in the delivery pipeline. To fully secure containerized workloads, a team must secure the containers and the code running within them, software dependencies and libraries, CI/CD pipelines, runtime, and everything in between


Threats in Kubernetes environments can come from six primary areas:
  1. Compromised accounts: in cases where Kubernetes clusters are deployed in public clouds (e.g., AKS in Azure or GKE in GCP), compromised cloud credentials can lead to cluster takeover as attackers who have access to account credentials can get access to the cluster’s management layer.

  2. Vulnerable or misconfigured images: images that are not updated regularly may contain vulnerabilities that can be exploited in malicious attacks

  3. Environment misconfigurations: an attacker with access to the Kubernetes API, either through an exposed Kubeflow dashboard or lack of appropriate authentication/authorization controls, can completely take down the server, deploy malicious containers, or hijack your entire cluster.

  4. App level attacks: applications can be exploited through several types of “typical methods”, such as SQL injection, cross-site scripting, and remote file inclusion.

  5. Node level attacks: since containers run on host machines, called nodes, those machines must not run vulnerable code or software that would allow for an attacker to gain initial access.

  6. Unauthorized traffic: insecure networking between the different containers within the cluster and between the pods and outside world can be subject to malicious traffic if not secured.


Understanding the attack surface of containerized environments is the first step of building security solutions for these environments. Microsoft Defender for Containers is a plan within Microsoft Defender for Cloud that offers a cloud-native solution to secure your containers so you can improve, monitor, and maintain the security of your clusters, containers, and their applications whether they are running in Azure Kubernetes Service, Amazon Elastic Kubernetes Service, Google Kubernetes Engine, or any other Cloud Native Computing Foundation (CNCF) certified cluster. This plan helps you achieve the core aspects of security within the build, ship, deployment, and runtime phases of the container lifecycle


How Defender for Containers secure your AKS clusters?
  • Control-plane hardening: Defender for Containers continuously assesses your clusters and presents you with recommendations as to how you can remediate misconfigurations in your environment.

  • Vulnerability assessment: Defender for Containers offers vulnerability scanning for images in Azure Container Registries that triggers the scan when images are pushed to a registry, pulled from the registry, and imported into the registry. Defender for Containers also provides CI/CD integration to scan images in the build stage.

  • Data-plane hardening: Defender for Containers includes an admission controller via the Azure Policy for Kubernetes component that extends the open-source Gatekeeper v3 admission controller webhook for Open Policy Agent. This add-on monitors every request to the Kubernetes API server against a predefined set of best practices to help you ensure your workloads are secure. As an example, you can enforce container CPU and memory limits to protect against DDoS attacks and prevent containers from running as root user.

  • Run-time monitoring and threat protection: Defender for Containers provides real-time threat protection and generates alerts for suspicious activities. Threat protection at the cluster level is provided by the Defender agent and analysis of the Kubernetes audit logs. Another benefit of this monitoring is that the Defender agents allows Defender for Containers to also scan images that are currently running within a cluster by correlating the inventory of your running containers to the images stored within the registry and presenting you with the vulnerability assessment results.

More Information

To learn more about how Defender for Containers can help you achieve container security with zero vulnerabilities from build to runtime, please leverage the following sources:



66 views0 comments

Comments


bottom of page