Overview of Cloud Native Security

Let’s start with a diagram that may help you understand how you can think about security in layers.

The 4C’s of Cloud Native Security

As you can see from the above figure, each one of the 4C’s depend on the security of the squares in which they fit. It is nearly impossibly to safeguard against poor security standards in Cloud, Containers, and Code by only addressing security at the code level. However, when these areas are dealt with appropriately, then adding security to your code augments an already strong base. These areas of concern will now be described in more detail below.

Cloud

If you are running on your own hardware or a different cloud provider you will need to consult your documentation for security best practices.

This section will provide links for securing workloads in Kubernetes. There are two areas of concern for securing Kubernetes:

• Securing the components that are configurable which make up the cluster
• Securing the components which run in the cluster

If you want to protect your cluster from accidental or malicious access, and adopt good information practices, read and follow the advice about securing your cluster.

Depending on the attack surface of your application, you may want to focus on specific aspects of security. For example, if you are running a service (Service A) that is critical in a chain of other resources and a separate workload (Service B) which is vulnerable to a resource exhaustion attack, by not putting resource limits on Service B you run the risk of also compromising Service A. Below is a table of links of things to consider when securing workloads running in Kubernetes.

Container

Finally moving down into the application code level, this is one of the primary attack surfaces over which you have the most control. This is also outside of the scope of Kubernetes but here are a few recommendations:

Robust automation

Most of the above mentioned suggestions can actually be automated in your code delivery pipeline as part of a series of checks in security. To learn about a more “Continuous Hacking” approach to software delivery, provides more detail.

• Read about network policies for Pods
• Read about
• Read about API access control
• Read about for the control plane
• Read about Secrets in Kubernetes

Feedback

Was this page helpful?

Thanks for the feedback. If you have a specific, answerable question about how to use Kubernetes, ask it on Stack Overflow. Open an issue in the GitHub repo if you want to or suggest an improvement.