Vulnerabilities in the Cloud-Native Supply Chain and Infrastructure

In the Stack Overflow 2022 Developer Survey, the technologies that are the most loved, dreaded and wanted are Docker and Kubernetes. The desire to start using Docker does not appear to be slowing down, as Docker increased from 30% last to 37% this year as a wanted technology. Growing adoption also brings with it a growing number of opportunities for vulnerabilities.

An overall lack of familiarity with security knowledge around containers and Kubernetes, inadequate tools that don’t always meet the needs of users and security teams being unable to keep up with application development requirements are part of the factors that make Kubernetes so complex. Red Hat also notes that Kubernetes and containers were designed for developer productivity, not necessarily security.

Which is why Red Hat’s 2022 State of Kubernetes Security report got us thinking. Though hybrid cloud deployment strategies are preferred by large organisations, they require consistent security and compliance maintenance. According to the report, large organisations favour a hybrid approach for running containerised applications (42%), while smaller organisations gravitate toward a single cloud strategy (46%).

Report data

Kubernetes security requirements span the entire application development lifecycle, and enterprises need a security solution that protects containers and Kubernetes at every phase of that lifecycle, which is probably why more than half of the report’s respondents (57%) worry the most about securing workloads at runtime.

As Kubernetes is highly customisable as a container orchestrator, this means there are various configuration options affecting application security. As suggested in the report, security tools should provide straightforward safeguards to configure Kubernetes more securely. Runtime in particular is the container lifecycle phase which organisations worry about most: runtime security issues are mainly caused by lapses in configuration, such as a misconfiguration at either the build or deploy stage.

Report analysis

We work with a number of partners and customers who also agree that Kubernetes infrastructure needs to be secure, reliable, extensible and scalable. Yet none of these characteristics and capabilities matter if it is not just as seamless to secure it.

Red Hat’s 2022 State of Kubernetes Security highlights how security is a major concern and obstacle to container adoption, with security threats and issues causing roadblocks in deploying these applications into production. It also flags some of the most common types of security incidents that companies experience in these Kubernetes environments: 93% of respondents reported experiencing at least one security incident within their Kubernetes environments in the past 12 months, 31% of which have resulted in revenue and customer loss.

Enterprises are increasingly adopting containers and Kubernetes while investing in the cloud-native ecosystem to drive growth and innovation, but this further accelerates the need to invest in sustainable security practices, strategies and tooling simultaneously. The risk remains compromising the security of critical applications, and also delaying application or solution rollouts. Investing in tooling that enables security to reside within the application development lifecycle, rather than as a separate process, can be a key enabler to avoiding these risks.

Kubernetes’ flexibility is also its downfall: as a highly customisable container orchestrator with various configuration options, misconfigurations can have a huge impact on an application’s vulnerability.

The Kubernetes landscape is forever growing, with the number of Kubernetes distributions and deployments expanding as enterprises continue to gravitate towards cloud-based Kubernetes offerings. Soon the complexity of managing these clusters will be unfeasible for operations teams, leaving them to increasingly need companies that provide secure platforms for managing cloud-native deployments over any Kubernetes infrastructure, anywhere.

The 2022 State of Kubernetes Security report demonstrated that despite how security can be a roadblock for enterprises adopting Kubernetes, containerisation and cloud-native technologies, adoption is on the rise. Kubernetes and containers were, after all, designed for developer productivity, and not necessarily manageable security.

Kubernetes only really meets its potential to maximise deployment agility if it is secure, reliable, extensible and scalable. Security is hard when things are constantly changing. If it was easy, everyone would be doing it.