The 2023 Kubernetes Benchmark Report: Are K8s Workloads Better Configured?
Organizations are increasingly adopting Kubernetes to automate the deployment, management and scaling of containerized applications. As they do, dev, sec and ops teams are paying closer attention to how their workloads are performing in terms of reliability, security and cost efficiency. In a volatile economy, organizations are looking for ways to better control costs, and cloud spend is not insignificant for those deploying cloud-native apps and services.
Last year, Fairwinds created the first Kubernetes benchmark report as a resource for organizations to use to understand their container configurations better. The data in last year’s report came directly from analyzing more than 100,000 Kubernetes workloads across hundreds of organizations. Comparing your results to those of your peers can help organizations make improvements and identify trends. The 2023 Kubernetes Benchmark Report is now available after analyzing 150,000 workloads in 2022. The question is, are workload configurations getting better or worse as Kubernetes becomes more mainstream?
Top Three Kubernetes Concerns
Kubernetes remains complex, offering a lot of scalability and flexibility, but with an ongoing struggle to find the right expertise to properly configure and manage it. Misconfigurations, particularly related to security, cost efficiency and reliability, are still the three primary concerns for cloud-native users. The new report shows that even while cloud/platform teams are creating, upgrading and scaling Kubernetes and Kubernetes clusters, it remains quite difficult to configure workloads properly.
Are DevOps Teams Overwhelmed?
Analysis of the benchmarking data—specifically examining reliability, security and cost efficiency metrics—shows that cluster configuration is even more challenging for teams than it was in 2021. Last year’s analysis showed that fewer than 10% of workloads were impacted in many core metrics. Unfortunately, the trend did not continue in 2022. All core issues saw an increase in the percentage of workloads impacted, increasing risks, costs and reliability issues.
One reason this may have occurred is the increased adoption of Kubernetes itself. Most IT teams have varied levels of expertise in Kubernetes management, in part because Kubernetes is still a newcomer in enterprise IT environments. DevOps teams are responsible for managing potential configuration risks, but managing new development teams and applying consistent policies and controls takes time. Platform engineers are spending too much time acting as a Kubernetes help desk and they simply cannot keep up. The 2023 Benchmark Report shows where organizations are lagging behind in managing Kubernetes configuration risks and how to improve Kubernetes configurations in the year ahead.
How Reliable Are Workloads?
There are six primary configuration issues that apply to Kubernetes reliability, many of which may be challenging to address. The reason it is so hard is that it is difficult to know what values to assign for each application. Typically, this results in no limits set at all, limits set too low for the app to be able to function reliably or limits set too high by developers when they are testing the app and they forget to correct it. The latest data showed that only about 17% of organizations set memory requests and limits for over 90% of their workloads.
Last year, 41% of organizations had set memory requests and limits for over 90% of workloads. That is a significant drop, and it has a serious impact on reliability. Other configuration issues that impact reliability include missing liveness and readiness probes and missing CPU requests and limits. Many organizations were using cached versions of Docker images, which are often outdated and increase overall inconsistency in deployments. This year, the Benchmark Report now checks for deployments that have only a single replica; replica deployments help maintain the stability and high availability of containers.
The new report evaluates nine security-related Kubernetes configurations. Surprisingly, there was a significant drop in organizations turning off insecure capabilities for most of their workloads compared to 2021. Forty-two percent of organizations did this for most of their workloads in 2021, but in 2022 only 10% did so. And the data shows that 33% of organizations have more than 90% of workloads running with insecure capabilities.
In an era of increased scrutiny of overall cybersecurity practices, new data shows 44% of organizations are running 71% or more of their workloads allowing root access, up from 22% the year before. Workloads impacted by image vulnerabilities, such as Log4j, grew from 9% in 2021 to 25% for organizations seeing more than 90% of workloads impacted by this issue.
Most organizations are doing just okay when setting CPU requests and limits. Areas for improvement in this realm include setting memory limits more carefully. Thirty percent of organizations are setting memory limits too high for at least 50% of their workloads, which results in wasted cloud resources. The report also analyzes shifts in memory requests that are set too low or too high and how those requests can be adjusted to improve cost efficiency.
Kubernetes Maturing, but Configuration Remains Challenging
Cloud-native applications and services, delivered in containers and leveraging Kubernetes for container orchestration, bring real value to businesses. However, rapid adoption without understanding how to set the many available configurations appropriately can increase security risk and cloud costs—and can also put reliability at risk. The analysis in the Kubernetes Benchmark report can help you better understand your configuration deficiencies so you can decide where to make investments. Review the data and then look at your Kubernetes environments to make adjustments that will improve your Kubernetes deployment and make it more reliable, secure, and cost-efficient in the year ahead.