Security Controls for the OWASP Kubernetes Top 10
Using NeuVector to Reduce Risk in Kubernetes
Kubernetes has become the de-facto standard for container orchestration platforms and is widely used in business-critical infrastructure in enterprises of all sizes. With this popularity comes an increase in focus for hackers to exploit vulnerabilities and misconfigurations in Kubernetes clusters. The orchestration layer system resources, as well as the application workloads running on it, are all prime targets for attackers.
The non-profit organization OWASP, famous for its OWASP Top 10 web application attacks, recently published its initial draft of the OWASP Kubernetes Top 10 outlining Kubernetes’ top 10 security risks.
The summary table below describes each risk and how the NeuVector open source container security platform can mitigate possible exploits. For a complete description of each risk vector and the NeuVector security control, download the complete guide.
|Kubernetes Risk Vector
|NeuVector Security Controls
|K01: Insecure Workload Configurations
|Misconfigurations lead to vulnerable workloads.
|Audit, Admission Controls and CIS
|K02: Supply Chain Vulnerabilities
|Malware, back doors, crypto mining and vulnerabilities introduced in the pipeline.
|Admission Controls, Image Signing and Scanning
|K03: Overly Permissive RBAC Configurations
|Unauthorized system resources and console access lead to cluster compromise.
|Zero-Trust run-time network and process protections
|K04: Lack of Centralized Policy Enforcement
|Security misconfigurations from lack of centralized, automated policy management.
|Centralized Admission Controls, Security as Code and Multi-Cluster Federation
|K05: Inadequate Logging and Monitoring
|Attack detection and forensics are difficult without security-focused event logging.
|Security-Focused Events, Notifications and Packet Captures
|K06: Broken Authentication Mechanisms
|Unauthorized access to system resources can lead to lateral movement, corruption and data theft.
|Zero-Trust Suspicious Activity Detection
|K07: Missing Network Segmentation Controls
|Lateral movement, network scanning, tunneling, command and control connections can’t be stopped.
|Full Layer7 Firewall, Segmentation, WAF/DLP and Access Control
|K08: Secrets Management Failures
|Unprotected secrets could enable an attacker to gain access to resources or workloads.
|Suspicious System Activity Detection and Secrets Scanning
|K09: Misconfigured Cluster Components
|Misconfiguration of system components such as API server, kubelet, etc., exposes risks.
|Kubernetes and Docker CIS Benchmarks
|XK10: Outdated and Vulnerable Kubernetes Components
|Critical CVE’s in Kubernetes or other system (nginx, Istio) containers lead to exploit.
|Platform Scanning, CVE Reporting and CIS Benchmarks
|Zero-day attacks, OWASP Top 10 Web Application Attacks
|Zero-Trust Run-Time Security, WAF rules and API Security
The risk of attackers gaining access to critical resources continues to grow, especially for new cloud technologies such as containers and Kubernetes. In addition to the traditional zero-day application attacks, exploits of misconfigured Kubernetes systems or workload configurations are a real threat to business continuity. A layered security strategy is always the best way to mitigate risk. Security should have several layers through which attackers must penetrate before being able to access critical resources and data. However, as seen in the summary above, the NeuVector container security platform provides many of the controls and layers required to detect and prevent exploits.
Download the complete guide for a complete description of each risk vector and the NeuVector security control.