DevSec For Scale Podcast – Common Kubernetes Security Misconfigurations w/ Rotem Refael, ARMO

In this episode of the “DevSec for Scale” podcast, host Jeremy Hess welcomes Rotem Raphael, Director of Engineering at ARMO, a Kubernetes security company based in Tel Aviv. Rotem discusses the findings from ARMO’s research on scanning public Kubernetes clusters for misconfigurations and highlights common issues and their implications. The research revealed that 100% of scanned clusters had some form of misconfiguration, with 65% missing resource policies, around 70% lacking immutable container file systems, and many having exposed ingress and egress routes.

Rotem explains that networking issues are particularly common, with many clusters lacking proper ingress and egress definitions, thus exposing workloads to external threats. She emphasizes the importance of network policies in Kubernetes and the simplicity of adding these configurations to enhance security. Rotem suggests that organizations adopt a systematic approach, such as creating frameworks or checklists, to ensure all necessary configurations are in place and to minimize the risk of exposure.

Another critical area discussed is the management of application credentials. Despite being a well-known issue, developers often still hardcode secrets into YAML files, which can lead to significant security vulnerabilities if these files are accessed by unauthorized users. Rotem recommends using environment variables or dedicated secrets management tools to handle sensitive information securely.

Rotem also highlights the importance of keeping the operating system up-to-date and enabling features like SELinux to ensure containers benefit from the latest security updates and hardening measures. She notes that while enabling these features may seem simple, they can significantly impact the overall security posture of the deployment. Additionally, she stresses the need for careful management of RBAC (Role-Based Access Control) in Kubernetes, to avoid over-privileging users, which can lead to severe security risks.

To help developers implement security best practices without adding too much to their workload, Rotem suggests integrating security checks into the development pipeline. Using plugins for IDEs like Visual Studio Code can provide real-time feedback on security issues during code compilation. Additionally, setting up automated gates in the CI/CD pipeline to halt deployments if security thresholds are exceeded can ensure vulnerabilities are caught early, preventing them from reaching production. Overall, this episode provides valuable insights into common Kubernetes misconfigurations and practical advice for integrating security into the development lifecycle.