More than 50% of respondents to the State of Kubernetes Security Report 2023 were highly concerned about misconfigurations and vulnerabilities when it came to the security of their applications in containers and Kubernetes environments.
But, there are ways to mitigate the risks introduced by misconfigurations. One way is to take a proactive approach with configuration management - introducing automation for security scanning, having a zero trust policy within the cluster, ensuring you are thinking about security for the platform and the application-level.
A couple of best practices for configuration management are:
- Set egress policies for your pods: A lot of external attacks or breaches on the pod-level come via the internet. You can configure your pods to prevent this. A lot of pods might not need internet access at all - they just need to be able to communicate with other pods and DNS. You can set egress policies for your pods and by making egress impossible, you can mitigate it at the pod level by eliminating the possibility of the pod accessing the internet and being vulnerable to being attacked.
- Containers have writable file systems that are ephemeral. But, you can change this to ensure you are using read-only file systems and empty-dr. Tools like podman-diffs to gain visibility into how your apps are interacting with local file systems and can help you check this.
Watch the second episode of the Security Series on Ask an OpenShift Admin, where Chris Porter joins Andrew and Jonny to talk about Configuration Management for security in more detail! They go over how to build a security mindset, small steps you can take today to build apps the DevSecOps way, and more best practices for configuration management.
At Red Hat, we offer Red Hat Advanced Cluster Security for Kubernetes as a way to manage container images and their related issues. Try ACS Cloud Service today!
Tune in next week for part three on Runtime Security of this new series!
Sull'autore
Jehlum is a Product Manager in the Red Hat AI team. She's focused on building platforms for generative AI applications. I am especially interested in data processing, observability, safety, evaluation - all key components to build production-grade generative AI applications on platforms that scale.
Altri risultati simili a questo
Take your automation to the next level with Ansible Content Collections for Windows, Splunk, AIOps, MCP, and more
Automating the modern network: A Q1 network automation recap
Technically Speaking | Taming AI agents with observability
You Can't Automate Buy-In | Code Comments
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud
