This post originally appeared in The New Stack.
Embrace continuous feedback
In a CI/CD pipeline, there are numerous tools at work: a code repository like GitHub, a container registry, a build automation tool, a test automation tool and a deployment automation tool. There are multiple users that collaborate in every deployment, consisting of multiple developers, QA and IT Ops personnel. There are also multiple environments, including development, testing, staging and production.
Each of these components, users and resources are identified by tags and unique identifiers. As each of these users, components and resources interact with each other, events occur and these events create a record of data. All this data that identifies parts of the system, and events occurring across the system together, constitutes metadata. This is key to ensuring visibility into the system.
Grafeas is a metadata API that stores and helps analyze all metadata generated in a Kubernetes system. It is comprehensive, able to track any tool you use and flexible enough to factor in any new tools you add to your toolchain down the line. It includes access controls so that you can define which components and users can create or modify metadata — and which ones can only read metadata. By protecting metadata in this way, it gives you the confidence to use this metadata as a source of truth when triaging incidents.
Metadata has typically been overlooked as trivial information. Tools like Grafeas are changing this and giving metadata a central role in monitoring and securing a CI/CD pipeline. This is the way to achieve continuous feedback at every step of the CI/CD cycle. The best part is that this feedback is automated, it scales with your system and presents an accurate view of what’s really happening at any given moment. In a complex and dynamic system, this kind of continuous feedback is essential.
Automate Security Policies
Further, Grafeas works with another tool called Kritis which lets you define security policies that can be enforced on the system. These policies can be based on metadata. They let you define rules that allow only authorized users to deploy container images into production or ensure container images with vulnerabilities are automatically stopped from being deployed.
Similar to Kritis, admission controller is a feature of Kubernetes that lets you define arbitrary policies to better control and manage the CI/CD process. It features a list of plugins that intercept and manage all calls to the Kubernetes API. Admission controller plugins can be used to enforce restrictions on what commands can be executed by privileged containers or ensure that any requests do not exceed the set resource quotas in a namespace. The applications for admission controller are many, and together, they give administrators great control over various aspects of running a Kubernetes cluster in production.
Both Kritis and admission controller let you enforce automated policies for Kubernetes management. Twistlock has partnered with Google to enable support for Kritis. Twistlock leverages Kritis’ strengths to bolster its policy enforcement and image scanning features.
Deploy Multiple Security Processes
Firewalls have changed in the era of cloud-native computing. Rather than peripheral, all-encompassing firewalls, today; containerized applications leverage granular firewalls that secure individual services. These firewalls adapt to the size and complexity of the application and network, and are controlled via policies. The benefit of granular distributed firewalls is that even if one firewall is breached, the others remain secure. This provides multiple layers of security.
An open source tool that is adopting this approach is Project Calico. It implements policy-based network security that views the application as a collection of cloud-based services. It creates micro-firewalls around each service and secures them in a distributed manner.
Twistlock employs this method as well by using its Cloud Native Application Firewall (CNAF) and Cloud Native Network Firewall (CNNF). CNAF understands the application and protects each individual service in the application using a firewall. Similarly, CNNF adapts to a distributed networking architecture and secures communication between services no matter where they are hosted — within a single data center or across multiple public cloud platforms.
Securing a CI/CD pipeline in a world of containers is no easy task. There are numerous aspects to consider. By employing dynamic security practices and using multiple security processes, you can secure today’s cloud-native applications. Whether it’s to use metadata and a capable tool like Grafeas, enforce policies based on the metadata using a tool like Kritis, enforce even more arbitrary policies using admission controller, or securing the application and networking layer with cloud-native firewalls, they’re all essential for container security. While the tools are available, it takes a combination of tactical security measures and modern cloud-native tooling to deliver the kind of security that cloud-native applications require.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.