Security Controls for the OWASP Kubernetes Top 10 | SUSE Communities

Security Controls for the OWASP Kubernetes Top 10


Using NeuVector to Reduce Risk in Kubernetes

Kubernetes has become the de-facto standard for container orchestration platforms and is widely used in business-critical infrastructure in enterprises of all sizes. With this popularity comes an increase in focus for hackers to exploit vulnerabilities and misconfigurations in Kubernetes clusters. The orchestration layer system resources, as well as the application workloads running on it, are all prime targets for attackers.

The non-profit organization OWASP, famous for its OWASP Top 10 web application attacks, recently published its initial draft of the OWASP Kubernetes Top 10 outlining Kubernetes’ top 10 security risks.

The summary table below describes each risk and how the NeuVector open source container security platform can mitigate possible exploits. For a complete description of each risk vector and the NeuVector security control, download the complete guide.


Kubernetes Risk Vector Description NeuVector Security Controls
K01: Insecure Workload Configurations Misconfigurations lead to vulnerable workloads. Audit, Admission Controls and CIS
K02: Supply Chain Vulnerabilities Malware, back doors, crypto mining and vulnerabilities introduced in the pipeline. Admission Controls, Image Signing and Scanning
K03: Overly Permissive RBAC Configurations Unauthorized system resources and console access lead to cluster compromise. Zero-Trust run-time network and process protections
K04: Lack of Centralized Policy Enforcement Security misconfigurations from lack of centralized, automated policy management. Centralized Admission Controls, Security as Code and Multi-Cluster Federation
K05: Inadequate Logging and Monitoring Attack detection and forensics are difficult without security-focused event logging. Security-Focused Events, Notifications and Packet Captures
K06: Broken Authentication Mechanisms Unauthorized access to system resources can lead to lateral movement, corruption and data theft. Zero-Trust Suspicious Activity Detection
K07: Missing Network Segmentation Controls Lateral movement, network scanning, tunneling, command and control connections can’t be stopped. Full Layer7 Firewall, Segmentation, WAF/DLP and Access Control
K08: Secrets Management Failures Unprotected secrets could enable an attacker to gain access to resources or workloads. Suspicious System Activity Detection and Secrets Scanning
K09: Misconfigured Cluster Components Misconfiguration of system components such as API server, kubelet, etc., exposes risks. Kubernetes and Docker CIS Benchmarks
XK10: Outdated and Vulnerable Kubernetes Components Critical CVE’s in Kubernetes or other system (nginx, Istio) containers lead to exploit. Platform Scanning, CVE Reporting and CIS Benchmarks
Other Risks Zero-day attacks, OWASP Top 10 Web Application Attacks Zero-Trust Run-Time Security, WAF rules and API Security


What’s Next?

The risk of attackers gaining access to critical resources continues to grow, especially for new cloud technologies such as containers and Kubernetes. In addition to the traditional zero-day application attacks, exploits of misconfigured Kubernetes systems or workload configurations are a real threat to business continuity. A layered security strategy is always the best way to mitigate risk. Security should have several layers through which attackers must penetrate before being able to access critical resources and data. However, as seen in the summary above, the NeuVector container security platform provides many of the controls and layers required to detect and prevent exploits.

Download the complete guide for a complete description of each risk vector and the NeuVector security control.

Avatar photo
Glen Kosaka Glen is head of product security at SUSE. Glen has more than 20 years of experience in enterprise security, marketing SaaS and infrastructure software. He has held executive management positions at NeuVector, Trend Micro, Provilla, Reactivity, Resonate, Quantum and Rignite.