Plane over containers

Insights

Is Your Kubernetes Platform Out of Control?

Consider a Managed Kubernetes PaaS

Francisco Cosin, Head of Cloud and DevOps at UST Spain & Latam

"The stateless nature of Kubernetes makes it difficult to accurately determine access privileges to applications running within it, leaving it vulnerable to exploits unless carefully secured." describes TechTarget Article.

Francisco Cosin, Head of Cloud and DevOps at UST Spain & Latam

Francisco Cosin, Head of Cloud and DevOps at UST Spain & Latam

Related content

The need to leverage cloud-native efficiencies has been the driving force behind the rapid adoption of application containers over the last 4-5 years. The trend is accelerating, with a compound annual growth rate (CAGR) for the container market is forecasted to be 33% through 2028.

Containerization helps app dev teams achieve the accelerated release velocity needed to meet business demands. Containers bundle the app and its dependencies, which means the lightweight write-once image can run anywhere.

Kubernetes (K8s) is the de facto standard for orchestration of containerized applications at scale, automating management and abstracting infrastructure to accelerate both development and deployment. K8s also improves app reliability by monitoring service health and automating remediation, such as restarting stalled or failed containers. Since the OS doesn’t need to be restarted, there’s no compromise between speed and availability.

Forester predicts that businesses will 'double-down' in 2023 on cloud-native technologies like K8s for existing and new applications to balance the need to control cloud costs while maintaining the speed of innovation.

The challenge of K8s

Provisioning, maintaining, and scaling K8s in production has proven to be a considerable challenge for IT ops. In the open-source world, K8s is evolving quickly, and many organizations have a hard time keeping pace. The steep and continuous learning curve of a K8s ecosystem creates a distraction that quickly erodes the productivity gains of containerization.

IT teams would prefer to ‘deploy and forget’ on Kubernetes, but the reality is that K8s requires constant monitoring, tuning, and updating to avoid performance and security issues down the road. Ongoing management results in a financial drain that further strains cloud cost containment objectives.

Kubernetes is an enticing target

Unfortunately, Kubernetes has become a target for hackers who exploit the complexity of K8s infrastructure. Targets include cluster misconfiguration, stolen credentials, backdoors, unencrypted secrets, tricking automated processes into deploying malicious code...and much more. K8s complexity ‘creates its own vulnerabilities.’

Statelessness adds vulnerability, as described in this TechTarget article

"The stateless nature of Kubernetes makes it difficult to accurately determine access privileges to applications running within it, leaving it vulnerable to exploits unless carefully secured."

Not only the Control Plane and Node Components of the Kubernetes cluster, but also the applications running inside the cluster represent a large attack surface. Securing them encompasses a range of access controls as well as best practices for managing credentials, third-party integrations, and secrets.

Containers and K8s clusters are two of the 4C’s (cloud, cluster, container, code) of a cloud-native security strategy, and require new tooling and expertise to apply stringent controls. Kubernetes security is only as strong as your weakest link.

Shared responsibility

Many organizations are opting for managed K8s services like AWS EKS, Azure AKS, and Google GKE to reduce a significant amount of the maintenance burden. These services manage the control plane that can run across multiple zones to ensure the availability of Kubernetes orchestration. They also auto-detect and replace underperforming K8s nodes if needed.

You still handle ongoing management and configuration of worker nodes, though. And while the services handle patch upgrades, you may be responsible for upgrading major service releases. Are you familiar with container runtimes? Their services run on the workers and yes, they need maintenance.

Security and compliance are shared responsibilities as well. AWS EKS, Azure, EKS, and Google GKE secure the Kubernetes control plane, and you are responsible for things like IAM, pod security, and network security.

UST Managed Kubernetes PaaS

Many businesses now realize they want to get out of the DIY Kubernetes business and are moving to a managed Kubernetes service like we offer at UST. UST has deep expertise in container and Kubernetes management and security at the enterprise scale. A major telco provider runs tens of thousands of containers across multiple clouds with our managed Kubernetes service, processing almost 1 billion requests per day and 4Gb of logs every second.

UST manages Kubernetes so IT teams can deploy and run applications more efficiently without becoming K8s management and security experts. And we work with customers worldwide no matter where they are in their containerization journey– whether they are just beginning to implement containerized applications, operationalizing Kubernetes, or scaling K8s across the organization.

As your technology partner, we assess the development environment as well as business needs to define a tailored container and K8s solution that complements cloud Kubernetes services. We will design and manage your Kubernetes platform so you can offload administration and maintenance overhead and ensure security for mission-critical workloads. With prebuilt engineering accelerators such as starter kits, libraries, templates, and sidecar assets, we'll get you up and running much faster than a build-your-own solution.

K8s clusters are managed centrally across public and private clouds, reducing the complexity of a multi/hybrid cloud strategy. UST allows customers to deploy containers consistently and securely wherever they want. We ensure adherence to the CIS Benchmark for Kubernetes as well as inject security into every element of the CI/CD pipeline, freeing up development teams to innovate without compromising your organization’s security posture. A SecDevOps culture implemented, for real.

In addition to cluster lifecycle management, UST’s Kubernetes Managed Services encompass a wide range of capabilities, such as infrastructure telemetry, GitOps for config & infrastructure version control, and developer self-service provisioning. And as with all our services, you are backed by 24x7x365 worldwide support coverage.

As the volume, scale, and scope of containerized applications grow, offloading the operational burden through a Managed Kubernetes service makes even more sense. Kubernetes usage is growing beyond stateless applications, further challenging the need for in-house expertise. There was a lot of talk at 2022 KubeCon, for example, about how to build and operate stateful workloads on Kubernetes. The CNCF has even created a community to discuss how to build and operate data-centric applications on Kubernetes.

Don’t go it alone. Contact me, and I will have one of our engineers assess your environment and discuss your needs.