Kubernetes Podcast from Google: Episode Summary Title: Container Security, with Michele Chubierka
Hosts: Abdel Seguar, Kaslin Fields, Anton Shuvakin
Guest: Michelle Schubierka
Release Date: October 15, 2024

Introduction and Collaboration

In this special episode of the Kubernetes Podcast from Google, hosts Abdel Seguar and Kaslin Fields collaborate with Anton Shuvakin and Team Peacock from the Cloud Security Podcast. Together, they interview Michelle Schubierka, a Cloud Security Developer Advocate at Google, to delve deep into the nuances of container security within Kubernetes environments.

News Highlights

1. Google Announces Nvidia Nim on GKE [00:46]

   • Nvidia Nim (Nvidia Inference Microservices) is now available on Google Kubernetes Engine (GKE).
   • Part of the Nvidia AI Enterprise platform, Nim streamlines running AI models across various platforms, including Kubernetes, with a single command line.

2. Kubernetes Steering Committee Election Results 2024 [01:10]

   • New members: Antonio Ohea and Benjamin Elder from Google, and Sasha Grunert from Red Hat.
   • The Steering Committee oversees Kubernetes governance, with members serving two-year terms.

3. KubeCon and Cloud Native Con India Schedule Release [01:30]

   • The inaugural KubeCon Cloud Native Con in India is scheduled for December 11-12, 2024, in Delhi.
   • Hosts encourage listeners to check the show notes for the event schedule.

4. Diagrid Launches Catalyst [01:46]

   • Catalyst is Diagrid's managed DAPR platform in beta.
   • It offers managed services for building microservices applications atop DAPR, expanding on previous discussions about DAPR with Mauricio Salatino (Salaboy).

Main Discussion: Container Security with Michelle Schubierka

1. VM vs. Containers: A Security Perspective [05:37]

• Question: Are Virtual Machines (VMs) or containers more secure?
• Michelle's Insight: "I think that's the wrong question. It depends on the context and how your organization is structured." [05:37]
• Security effectiveness hinges on organizational collaboration, particularly between security and platform engineering teams.
• Conway's Law of Cloud Security: The security level is influenced by how an organization is structured and how its teams interact.

2. Isolation vs. Segregation in Containers [09:58]

• Clarification: Michelle prefers the term "segregation" over "isolation" for containers due to their shared kernel architecture.
• Quote: "Containers don't offer isolation; they offer segregation." [09:58]
• Michelle notes a higher incidence of container escapes compared to VM escapes in her experience.

3. Organizational Structure and Security Culture [08:26]

• Emphasizes the importance of a generative culture where security and platform teams collaborate effectively.
• Trust and mutual understanding are crucial for building robust security measures within Kubernetes environments.

4. Attack Surfaces: Containers vs. VMs [15:38]

• Kaslan's Point: Understanding technological boundaries in Kubernetes (container, pod, namespace, cluster) is essential for choosing appropriate security measures.
• Michelle's Explanation: Effective segmentation and trust boundary management are vital. Poor organization can lead to insecure configurations, such as mixing PCI DSS applications with internal backend services on the same cluster.

5. Misconfigurations in Container Security [28:33]

• Common misconfigurations stem from a lack of understanding and inadequate tooling.
• Anton’s Remark: "People assume the attack surface is smaller for containers, which is an unspoken assumption." [18:54]
• Michelle advocates for robust DevSecOps pipelines that enforce immutability and proper configuration checks to mitigate risks.

6. Patching and Immutability of Containers [23:03]

• Patching: Rather than patching running containers, the best practice is to rebuild and redeploy container images with updates.
• Immutability: Containers should remain unchanged post-deployment. If modifications occur, the container should be terminated and replaced.
• Michelle’s Insight: "Immutability is only effective if enforced. Allowing direct interactions with containers undermines this principle." [23:35]

7. Future of Container and VM Security: WASM [33:17]

• WebAssembly (WASM): Viewed as a promising technology for enhancing security through lightweight, secure workload isolation.
• Michelle's View: Though still emerging, WASM has the potential to revolutionize how security is implemented in Kubernetes by minimizing sidecar dependencies and offering slimmer attack surfaces.
• Kaslan's Analogy: Compares WASM's potential impact to the slow adoption of IPv6, expressing optimism despite current slow uptake.

Michelle’s Upcoming Talk at KubeCon North America

Michelle will present a session titled "Why Perfect Compliance is the Enemy of Good Kubernetes Security" at KubeCon in Salt Lake City. In her talk, she will explore:

• The challenges of implementing CIS GKE benchmarks in real-world scenarios.
• The importance of balancing security controls with realistic organizational needs.
• Strategies for fostering effective conversations between platform engineering and security teams to enhance Kubernetes security without becoming overly rigid.

Quote: "It's not about turning the security tool to a unified green color. Stop freaking out about the red and yellow in your security dashboard because sometimes it doesn't understand context." [38:12]

Conclusion and Key Takeaways

1. Security Depends on Collaboration: Effective container security within Kubernetes is not solely a technical challenge but also an organizational one. Collaboration between security and platform engineering teams is paramount.

2. Segregation Over Isolation: Understanding the nuances between segregation and isolation can lead to more accurate security implementations, recognizing the shared kernel architecture of containers.

3. Immutability and Proper Patching: Containers should remain immutable post-deployment. Updates should be handled through rebuilding and redeployment rather than patching running containers.

4. Mitigating Misconfigurations: Implementing robust DevSecOps pipelines with automated security checks can significantly reduce the risk of misconfigurations in container deployments.

5. Future Technologies Like WASM: Emerging technologies such as WebAssembly hold promise for enhancing Kubernetes security but require further adoption and understanding within the community.

6. Continuous Learning and Adaptation: As Kubernetes and container technologies evolve, so must the security strategies, tools, and organizational structures that support them.

Final Reflections: The episode underscores the complexity of container security within Kubernetes environments, emphasizing that technical measures must be complemented by effective organizational practices. Michelle Schubierka’s insights provide a comprehensive look into the current landscape and future directions of container security.

Stay Connected:
For more discussions on Kubernetes and container security, follow the hosts on Twitter @KubernetesPod or reach out via email at kubernetespodcast@google.com. Visit the Kubernetes Podcast website for transcripts, show notes, and additional resources.