Insecure Defaults Remain a Threat for Kubernetes

Secure-by-default settings make it easier (and safer) to onboard cloud-native technologies. And, thankfully, most default security profiles and configurations are, often, quite solid. Take Istio, which is secure by default and built with zero-trust in mind. Other environments, however, are not as well-guarded.

A new report by Accurics, the Cloud Cyber Resilience Report, found that insecure defaults make up nearly half of security violations in Helm charts commonly used within Kubernetes. The report also reveals that 1 in 4 security violations can be traced to poorly configured managed service offerings.

Let’s dig into the key findings of the report below. We’ll identify common frailties among Kubernetes ecosystems and outline some security implications of using managed services in cloud-native architecture.

Analyzing the Strength of the Kubernetes Ecosystem

The report examined infrastructure-as-code (IaC) used to provision cloud components, and flagged violations against CIS benchmarks.

The study analyzed Helm charts for popular prepackaged components within Kubernetes, such as Bitnami, HashiCorp, Jenkins, Harbor, AWS and others. To put your mind at ease, not many violations were found in these popular repositories. “The Kubernetes community appears to be doing an admirable job of avoiding these problems,” the report notes. However, there’s always room for improvement.

Out of the problems that were found, 47.9% of violations were due to insecure defaults — the most common type being improper use of the default namespace.

Twenty six percent of violations were due to insecure secrets management. Hard-coded credentials were not found in these Helm charts, but the study reveals the more minor issue of secrets being passed to containers via environment variables.

Another violation the research cites is poor resource management, at 17.8%. Some instances simply did not impose limits on container usage; these containers are left open to consume limitless RAM and CPU on the available node. The remaining 8.2% of violations were related to misconfigured container security.

Kubernetes is unique because it packages both application functionally and infrastructure definitions; as the report demonstrates, third-party components in Kubernetes do introduce a measurable amount of risk.

Common Security Flaws in CSPs and SaaS

Companies are offloading more infrastructure management to cloud service providers (CSPs). This indicates increasing faith in CSPs to correctly manage pipelines and deployments, in addition to host services themselves. Yet, 22.5% of security violations correspond to poorly configured managed services offerings, the report finds.

The report highlights insecure configurations around messaging services and functions-as-a-service (FaaS). As development teams adopt managed services for things like PubSub, CI/CD and FaaS, there are inherent risks to moving workloads into the cloud.

Default security controls and overly-permissive settings are becoming the bane of cloud-native services’ existence. Also, misconfigurations of storage buckets represent 15.3% of violations, the research shows.

As evidence, consider the misconfigured Twilio SDK, which an attacker exploited to leverage AWS S3 buckets for financial gain. Or, the recent SolarWinds Sunburst vulnerability. Recent exploits demonstrate how misconfigurations can be leveraged to allow attackers to gain unauthorized access and enable them to compromise production environments.

Mean Time to Recovery (MTTR) Rates

The report also considers Mean Time to Recovery (MTTR) rates for cloud-native remediation attempts.

As you might have guessed, MTTR for pre-production is much slower than production. On average, organizations take 51 days to remedy violations in pre-production. This is compared to 5 days MTTR for violations in production. Yet, “Organizations may not recognize the risk that managed services in pre-production represent,” notes the report.

MTTR rates are surprisingly high for some core infrastructure. For example, on average, violations in application load balancers and elastic load balancer configurations take over 149 days to fix.

Recommendations for Kubernetes Security

Today’s cloud-native infrastructure faces issues such as insecure buckets, hard-coded passwords and exposed networking. To safeguard systems, merely meeting compliance requirements is insufficient. Compliant systems may be left misconfigured, presenting a gaping vulnerability into core infrastructure. Take, for example, a recent Capitol One breach, in which a hacker leveraged a default configuration within an AWS compute instance to expose credentials.

To mitigate ongoing issues and to help strengthen K8s and container environments, the report provides some actionable advice:

  • Adopt secure-by-default tools with zero-trust policies.
  • Be cautious in the cloud. In cloud environments, where managed services may be exposed externally, watering hole attacks can cause significantly more damage than private, on-premises attacks.
  • Treat pre-production environments running DevOps tools in the cloud as critical infrastructure.
  • If possible, prioritize remediation efforts in pre-production.
  • Do not replicate potentially vulnerable on-premises workflows in the cloud.
  • Thirty-five percent of organizations struggle with RBAC issues, according to the study. Assume all cloud resources are easily accessible — restrict access and audit accessibility.
  • Don’t accept TLS 1.1 connections.
  • Use infrastructure-as-code (IaC) for your load balancers and networking infrastructure.
  • Assign per-container resource consumption limits.

Building Cyber Resiliency

“Cloud-native apps and services are more vital than ever before, and any risk in the infrastructure has critical implications,” says Accurics co-founder, CTO and CISO Om Moolchandani.

The 2020 CNCF report reveals that 83% of respondents are using Kubernetes in production. The use of containers in production has also increased 300% since 2016. With so much growing interest and adoption, it’s crucial to arm Kubernetes and the surrounding environment to better protect against threats and attacks. For many experts, this involves a shift-left mentality.

Thankfully, Helm charts among popular packages and official channels are “unlikely to suffer from insecure configurations,” concludes the report. In general, the Kubernetes ecosystem is in good shape when it comes to security. However, it helps to keep abreast of any incongruencies, even if they are minor — especially when reviewing things like Helm charts.

The Cloud Cyber Resilience Report is a bit opaque regarding the total number of violations discovered, and where exactly those occur. For more information, you can download it, behind an email wall, here.

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high-impact blog on API strategy for providers. He loves discovering new trends, interviewing key contributors, and researching new technology. He also gets out into the world to speak occasionally.

Bill Doerrfeld has 105 posts and counting. See all posts by Bill Doerrfeld