Security is a significant concern for Kubernetes and container-based development, according to Red Hat’s State of Kubernetes Security report for 2022.
In fact, 93% of survey respondents experienced at least one security incident in their Kubernetes and container environments in the past 12 months, sometimes leading to the loss of customers or revenue. This was likely the result of a variety of factors, including a lack of security knowledge about containers and Kubernetes, inadequate tools, and central security teams unable to keep up with application development teams. Red Hat also notes that Kubernetes and containers were designed for developer productivity, not necessarily security.
Published last month, the report analyzed trends in Kubernetes, container, and cloud-native security. It was based on a survey of more than 300 devops, engineering, and security professionals. Red Hat published the following key findings:
- 55% of respondents delayed or slowed down application deployment due to security concern.
- 53% detected a misconfiguration in Kubernetes in the past 12 months.
- 57% worry the most about securing workloads at runtime.
- 78% have a devsecops initiative either in beginning or advanced stages.
- 43% consider devops as the role most responsible for Kubernetes security.
- 38% have had a major vulnerability to remediate pertaining to containers and/or Kubernetes in the previous 12 months.
Organizations adopting containers, Kubernetes, and a cloud-native ecosystems risk the security of their critical applications if they do not invest in security strategies and tools, Red Hat said. But devsecops—which builds security processes and tools into the devops pipeline—is seeing mass adoption.
Kubernetes is a highly customizable container orchestrator with various configuration options affecting application security, according to the report. Security tools should provide the guard rails to configure Kubernetes more securely. Runtime, in particular, represents the container lifecycle phase organizations worry about the most. But runtime security issues typically are caused by lapses such as a misconfiguration at the build or deploy stage.
Red Hat made the following recommendations to achieve better security:
- Use Kubernetes-native security architectures and controls.
- Security should start early and extend across the full lifecycle.
- Portability should be required across hybrid environments.
- Developers should be transformed into security users by bridging devops and security.