Log in
Log in
Or log in with
GoogleGoogle
Twitter Twitter
Facebook Facebook
Apple Apple     
Sign up
Or log in with
GoogleGoogle
Twitter Twitter
Facebook Facebook
Apple Apple     
  1. Homepage
  2. Equities
  3. United States
  4. Nasdaq
  5. Rapid7, Inc.
  6. News
  7. Summary
    RPD   US7534221046

RAPID7, INC.

(RPD)
  Report
Delayed Nasdaq  -  04:00:00 2023-01-27 pm EST
39.38 USD   +7.89%
01/25Safe-T Group Ltd. Rebrands As Alarum Technologies, Name Change Better Identifies Position In Growing Cyber Security Space ($ALAR)
AQ
01/24JPMorgan Starts Rapid7 at Neutral With $38 Price Target
MT
01/17Safe-T Group Ltd. Shares Jump 12% YTD As Subsidiary Assets Earn Revenue-Generating Momentum ($SFET)á
AQ
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisionsFunds 
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector news

Rapid7 : Kubernetes Security Is Not Container Security

05/04/2021 | 04:47am EST

Container-specific security

I recently had an interesting discussion with Gianluca Brindisi from Spotify about the differences between Kubernetes security and container security. Typically, the discussion about container security focuses on general questions that aren't focused on a specific orchestration framework like Kubernetes, such as the following:

  • What images do I run and do they have secure base images?
  • Is my image registry secure?
  • What operating system permissions do my containers run with?
  • Is my container network properly segmented?
  • What processes do my containers run, and what files do those processes access at runtime?

These are all important questions when zooming out and looking at container security in general. However, in the Kubernetes context, something is lost.

Kubernetes-specific security

Let's illustrate the type of questions that you should ask to secure your Kubernetes cluster in addition to your containers. Some brief answers and tips are included for convenience.

Can someone bypass network segmentation by using the Kubernetes APIServer as a proxy and tunnel from one pod to another via kubectl port-forward?

It depends on what Role-Based Access Control (RBAC) permissions that pod's service account has. (There isn't much documentation around the pods/portforward role, but you can see it in the source code.)

If an attacker has breached one pod with restricted operating system permissions, can they escalate privileges by using the Kubernetes APIServer to launch a new pod with greater permissions?

Yes, if that pod's service account has RBAC permissions to create a new pod and you haven't set up additional restrictions like Pod Security Policies.

Can an attacker use raw-sockets to wreak havoc on the cluster's container network?

Yes, by default they usually can!

Are my security assumptions about Kubernetes namespaces wrong?

This is an important question to ask yourself. Though many people assume otherwise, Kubernetes namespaces are not equivalent to security boundaries, which means that privileged pods in one namespace can impact pods in another namespace. Make sure you don't make this mistake.

Root causes for Kubernetes security flaws

Most of the Kubernetes-specific security flaws that we see stem from one of four root causes:

  • A well-intentioned developer or devops engineer once granted overly permissive RBAC permissions to a default service account in order to 'make things work,' and no one today remembers that change or is aware of the lingering consequences.
  • The security team isn't familiar with Kubernetes and all of its obscure pitfalls, or the DevOps team doesn't have enough security experience to recognize nuanced security mistakes. This is common even among extremely talented engineers because Kubernetes is both complicated and new.
  • People think that Kubernetes and containers do all kinds of magic which Kubernetes/Docker actually don't. For example, people wrongly assume that if an application is running in a container, then surely it can't open a raw socket by default.
  • The default Kubernetes configurations are too permissive (here too, raw sockets are a good example).

These four root causes lead to a variety of security flaws in Kubernetes clusters.

Securing your cluster

All of these issues can be fixed by proactively verifying that your cluster is properly configured, making sure that workloads are properly segmented in the correct Kubernetes-native way, and educating yourself and your teams about the nitty-gritty details of Kubernetes-not just containers.

The big picture: Containers, image scanning, and Kubernetes

Kubernetes is best viewed as a 'cloud operating system' that runs applications called 'containers.' Focusing on container security is important, and is equivalent to traditional application security. However, ignoring Kubernetes security and only focusing on container security is like ignoring Linux security and only focusing on Nginx/Apache security. The environment in which containers run, what the Container Network Interface (CNI) looks like, and what privileges the operating system called Kubernetes grants the containers (in terms of RBAC permissions) is extremely important if you want to secure your cloud.

To complete this analogy, you can think of image scanning as the cloud equivalent of source code scanning, which checks if you have known vulnerabilities in your code.

Image scanning is important, but it isn't a replacement for a firewall, antivirus, or proper operating system configuration.

In the old days, when containers ran only on top of Docker, container security was enough. Nowadays, make sure you don't overlook the operating system (Kubernetes) and focus only on the apps (containers), because doing so will leave large gaps in your security and compliance.

Learn more about how DivvyCloud by Rapid7 can help secure your cloud and multi-cloud environments.

Get Started

Disclaimer

Rapid7 Inc. published this content on 03 May 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 04 May 2021 08:46:05 UTC.


ę Publicnow 2021
All news about RAPID7, INC.
01/25Safe-T Group Ltd. Rebrands As Alarum Technologies, Name Change Better Identifies Positi..
AQ
01/24JPMorgan Starts Rapid7 at Neutral With $38 Price Target
MT
01/17Safe-T Group Ltd. Shares Jump 12% YTD As Subsidiary Assets Earn Revenue-Generating Mome..
AQ
01/13DA Davidson Starts Rapid7 at Neutral With $34 Price Target
MT
01/10Rapid7 to Report Fourth Quarter and Full Year 2022 Financial Results on February 8
GL
01/10Rapid7 to Report Fourth Quarter and Full Year 2022 Financial Results on February 8
GL
01/10Record Revenues Prove An Important P : Safe-T Group Ltd. Is Doing The Right Things At The ..
AQ
01/05Piper Sandler Adjusts Price Target on Rapid7 to $45 From $50, Maintains Overweight Rati..
MT
01/05Safe-T Group Ltd. Stock Trades Bullish In 2023; Subsidiary Expansion And Record Earning..
AQ
01/05North American Morning Briefing: Futures Dip As a -2-
DJ
More news
Analyst Recommendations on RAPID7, INC.
More recommendations
Financials (USD)
Sales 2022 680 M - -
Net income 2022 -138 M - -
Net Debt 2022 495 M - -
P/E ratio 2022 -17,0x
Yield 2022 -
Capitalization 2 333 M 2 333 M -
EV / Sales 2022 4,16x
EV / Sales 2023 3,49x
Nbr of Employees 2 353
Free-Float 97,6%
Chart RAPID7, INC.
Duration : Period :
Rapid7, Inc. Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends RAPID7, INC.
Short TermMid-TermLong Term
TrendsBullishBearishBearish
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus OUTPERFORM
Number of Analysts 19
Last Close Price 39,38 $
Average target price 43,40 $
Spread / Average Target 10,2%
EPS Revisions
Managers and Directors
Corey Eugene Thomas Chairman & Chief Executive Officer
Andrew Frank Burton President & Chief Operating Officer
Timothy M. Adams Chief Financial & Accounting Officer
Tas Giakouminakis Chief Technology Officer
J. Benjamin H. Nye Lead Independent Director
Sector and Competitors
1st jan.Capi. (M$)
RAPID7, INC.15.89%2 333
MICROSOFT CORPORATION3.48%1 847 254
SYNOPSYS INC.11.90%54 454
CADENCE DESIGN SYSTEMS, INC.15.18%50 757
DASSAULT SYSTÈMES SE0.58%48 085
ATLASSIAN CORPORATION27.64%41 969