Public Cloud Kubernetes v Other Distros – A Security View

Table of Contents

Last week I published a blog, “How to spot gaps in your Public Cloud Kubernetes Security Posture” with the aim of providing a very high-level view of where security matters in public cloud Kubernetes.

Originally I intended to provide information for people new to Kubernetes and a few people have asked for some context to the blog, so here’s the introduction that was cut out of the original blog!

Importance of Kubernetes security

Tesla was hacked because their Kubernetes administrative console was not password protected. In another incident, Capital One left their AWS firewall definitions too lax and 30GB of credit application data (affecting 106 million customers) was exposed. Aside from implementing Kubernetes itself, the single most important consideration is security.  

Roughly 60% of Kubernetes security breaches are due to misconfiguration (State of Kubernetes Security 2021).

More than any other technology area, public cloud has always had the capability of introducing unseen vulnerabilities, particularly through shadow IT, and the ease with which services are available to be consumed by development teams and end users. 

Do you actually know if your organization is using or planning to use public cloud Kubernetes? Do you understand what this means in terms of protecting the organization’s applications and data?

blog how to spot gaps in your public cloud kubernetes security posture 01

The above diagram is the premise for the article “How to Spot Gaps in Your Public Cloud Kubernetes Security Posture“ which aims to show just some of the areas that you need to consider, it’s a never-ending challenge keeping up to speed. Especially when presented with paradigm-shifting technology that is obtuse and pervasive, because it will be pervasive, and if you are not already armed with the high-level information about attack vectors and vulnerability maps that is needed to understand the security posture that you want to take.

If you already understand Kubernetes and containers, then great. You don’t need to be an expert in containers and Kubernetes but understanding the basics is essential to be able to identify where to focus effort.

worker nodes

The simplified Kubernetes architecture above is the basis for understanding some of the security areas that need to be considered. 

Take a look at these articles to get a high-level understanding of the technologies in question, with a focus on Linux containers and Kubernetes:

Public Cloud Kubernetes v Kubernetes Distributions

Kubernetes can be used anywhere, public cloud, private datacenter, Edge, etc. There is, however, a distinction we need to make when we want to use Kubernetes in a public cloud. We have a choice of using Kubernetes in two ways.

Cloud managed or self managed Kubernetes

With a self managed Kubernetes platform, we may use the open source Kubernetes project as a starter or take a 3rd party Kubernetes distribution like Red Hat’s OpenShift or VMWare’s Tanzu and deploy to public cloud.  Alternatively, we may make use of a public cloud’s native Kubernetes services.

What’s the difference?

Opensource, OpenShift and Tanzu give you ultimate control in building and managing Kubernetes clusters, it is up to you to install, manage and maintain all of the components in your platform and infrastructure that make up Kubernetes. You are responsible for managing the compute (servers), control plane (core services needed to run Kubernetes clusters), networking and storage.

cloud provider managed
 Self managed kubernetes on cloud

The second choice is to use public cloud Kubernetes services. The big difference is that the cloud providers will manage and run the Kubernetes infrastructure and you only need to take care of using Kubernetes to deploy and run your container workloads.

network
 Public cloud managed kubernetes service

Security and compliance are considered shared responsibilities in public cloud

Security and compliance are considered shared responsibilities when using a managed service like AKS/EKS/GKE. Generally speaking, the cloud provider is responsible for security “of” the cloud whereas you are responsible for security “in” the cloud. 

The public cloud providers are responsible for management of the Kubernetes control plane. This includes the Kubernetes masters, the ETCD database, and other infrastructure necessary to deliver a secure and reliable service. As a consumer of public cloud Kubernetes services, you are largely responsible for everything else e.g. IAM, pod security, runtime security, network security, and so forth.

shared responsbility model
 Shared responsibility model

Take a look at a great article talking about shared responsibility: How to Take “Shared Responsibility” of Cloud Security

So this was a really short introduction to the differences between public cloud Kubernetes and 3rd party and open source distributions of Kubernetes. Now head over to “How to Spot Gaps in Your Public Cloud Kubernetes Security Posture” blog to get a full picture of where security matters in public cloud.

About Appvia

Appvia enables businesses to solve complex cloud challenges with products and services that make Kubernetes secure, cost-effective and scalable.

Our founders have worked with Kubernetes in highly regulated, highly secure environments since 2016, contributing heavily to innovative projects such as Kops and fully utilizing Kubernetes ahead of the curve. We’ve mastered Kubernetes, and experienced its complexities, so our customers don’t have to. 

Share this article
Twitter
LinkedIn
Facebook
profile-112x112-crop-1 (3)
Graeme Colman
HEAD OF PRESALES, EMEA

The podcast that takes a lighthearted look at the who, what, when, where, why, how and OMGs of cloud computing

Related insights

Managing Kubernetes Secrets with HashiCorp Vault vs. Azure Key Vault Keeping secrets secure...
Namespaces are a vital feature of Kubernetes. They allow you to separate uniquely named...
DevOps teams have rapidly adopted Kubernetes as the standard way to deploy and...
Once you start working with Kubernetes, it’s natural to think about how you...
Self-service of cloud resources Kubernetes has been brilliant at delivering an ecosystem for...
Pods, deployments, and services are just some of the concepts that you need to understand in...
Last week I published a blog, “How to spot gaps in your Public Cloud...
Breaking down the core areas that you should be aware of when considering...
5 tips to help you manage more with less Not every manager of...
Public cloud has provided huge benefits in getting infrastructure and services to people...
This is the story of how three Appvia Engineers contributed so much to...
Overview The UK Home Office is a large government organisation, whose projects and...