Shulou(Shulou.com)06/02 Report--

The report recommends that IT organizations that have deployed Kubernetes should address the following issues when using AWS Elastic Kubernetes Service (EKS):

Isolated security groups for some EKS load balancers: the load balancer that acts as the EKS ingress controller is assigned the default security group. After 90 days, AWS automatically clears these permissions.

However, Threat Stack recommends that organizations actively delete load balancers after they are not used.

Multi-tenant EKS network mismatch: the EKS cluster uses the Amazon VPC CNI plug-in for Kubernetes so that it can represent Pod on the AWS virtual private cloud (VPC).

The report found that this was not sufficient to support Kubernetes network policies unless the organization also deployed an instance of Calico network virtualization software.

Because of how the Container Network Interface (CNI) plug-in maps to the AWS Elastic Network Interface (ENI), CNI can only support one security group per node.

The threat stack warns that this may cause problems when EKS dispatches unrelated pods on the same node.

Intruders use aws-iam-authenticator for EKS reconnaissance: suspicious users have downloaded legitimate aws-iam-authenticator tools to access the EKS cluster through identity access management (IAM) credentials to the / tmp directory in the EKS container.

The user then uses AWS CLI to access EKS information to further explore the cluster.

Sam Bisbee, chief security officer of Threat Stack, said that for Kubernetes, the network security-sharing approach adopted by most cloud service providers is particularly challenging.

Most IT teams assume that they are responsible for protecting cloud applications, while cloud service providers protect infrastructure.

However, when it comes to container platforms such as Kubernetes, network security responsibilities are still not precisely defined.

As a result, these uncertainties may slow down the speed of deployment of Kubernetes clusters in a production environment.

None of this means that Kubernetes will not be deployed in the cloud. Kubernetes service is one of the fastest growing services in cloud computing.

However, as more and more production applications begin to deploy to these services, the network security team begins to scrutinize these services more and more closely.

The challenge, of course, is that containerized applications behave very differently from traditional monolithic applications, which require network security teams to know the time, Bisbee said.

Bisbee points out that, overall, organizations that adopt best DevSecOps practices tend to deploy applications on Kubernetes clusters in the cloud more often than organizations that do not adopt cloud security.

It may take a while for network security professionals to be completely unfamiliar with containerized applications.

In theory, containerized applications are more secure because it is much easier to replace vulnerable containers than to patch the overall application.

The problem, of course, is that given the complexity and relative lack of container security expertise, there are plenty of opportunities to make mistakes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.