back to article Red Hat Kubernetes security report finds people are the problem

Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us. The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native …

  1. Anonymous Coward
    Anonymous Coward

    It's still Kubernetes fault

    > Kubernetes is highly customizable, with various configuration options that can affect an application’s security posture.

    If the vast majority of security issues are attributed to misconfigurations, and misconfiguration is what keeps most operators up at night, then the problem isn't the users it's the application.

    It's possible (but hard) to be highly customisable *and* safe. Kubernetes (apparently) hasn't achieved that equilibrium.

    1. Snake Silver badge
      Thumb Up

      Re: It's still Kubernetes fault

      "If the vast majority of security issues are attributed to misconfigurations, and misconfiguration is what keeps most operators up at night, then the problem isn't the users it's the application."

      This, 1000x this. This statement needs to be placed on billboards across the street from every office with links to Kubernetes development.

      Don't blame the user if your UI is a misconfigured mess that only you, a programmer, can understand.

  2. Potemkine! Silver badge

    95 per cent of cybersecurity issues can be traced to human error

    No kidding. And the other 5% are traced to E.T. ? Or cats maybe (you are never too careful when dealing with cats) ?

    I would love to be paid a lot of €/$/£ to generate such tasteless and empty reports. Where can I apply?

    1. VoiceOfTruth

      Get a government contract. Sorry, it's over run time and cost limits by a factor of two or three.

  3. werdsmith Silver badge

    I’ve lived this. Not just security but general service has been quite a shit-show because Kubernetes has been adopted when people (bosses) were dazzled by the idea of it. But the centre of excellence delivery department didn’t put it in right, nor did they train the support properly because they didn’t actually understand it themselves.

    1. Anonymous Coward
      Anonymous Coward

      Yup. It was suggested, nay, asserted, by one of the team that we should use Kubernetes for one project some 5-6 years ago.

      Ok — we went — show us how to use it.

      He'd never actually used it himself, nor had any idea how to, let alone being able to quantify what benefit, if any, it might have brought.

      Beware of the hype. And also remember that we're not all Google or Facebook.

      1. Anonymous Coward
        Anonymous Coward

        > And also remember that we're not all Google or Facebook.

        The argument you often hear is "but what if we want to grow to that sort of scale in future?"

        The answer to which is that that's a bridge to cross when it looks likely.

        At some point in the next few years, I suspect we'll see a report quanitfying the loss of productivity that's come from businesses using kubernetes when their size/use-case doesn't really demand it. Unfortunately, that report will probably be part of a sales pitch for some replacement fad.

        1. Anonymous Coward
          Anonymous Coward

          > The argument you often hear is "but what if we want to grow to that sort of scale in future?"

          Then you'l probablyl do what Google did: develop your own solution. Whether out of an actual need or due to not invented here, it doesn't really matter.

  4. DevOpsTimothyC Bronze badge

    What's so special about K8s?

    In other news water wet, space empty etc. This sort of report is a waste of money.

    Why do they think that K8s would be any different than the rest of IT. The elephant in the room is that C-Levels do not want to pay for security. They aren't willing to have it in the SDLC, and in most places I've seen the closest to network security has been a traditional firewall or WAF and a regular patch schedule.

    1. Anonymous Coward
      Anonymous Coward

      Re: What's so special about K8s?

      > The elephant in the room is that C-Levels do not want to pay for security.

      Nor are providers proposing it. Every one of my company's projects in the last few years has had a security plan, a dedicated security budget and someone specifically in charge of security. So far it has been well received, though there might be an element of self selection.

      1. Anonymous Coward
        Anonymous Coward

        Re: What's so special about K8s?

        > Every one of my company's projects

        Ok, not every one of them, I've learned. :(

        Still, it's a start.

  5. Warm Braw Silver badge

    We lack internal talent to use it to its full potential

    Just about every job advertisement I see presently for anything even vaguely related to development is demanding knowledge of "Docker/Kubernetes". Conflating the two is perhaps still excusable, but I'm not sure it's a great idea to expect your developers also to cover deployment as a side hustle.

    It is complex (perhaps unnecessarily so) and it needs not only knowledge and experience but also time to do it right. There does seem to be an unjustified expectation that if you adopt DevOps then the ops simply disappears.

  6. VoiceOfTruth

    Kubernetes, OpenStack, ...

    -> Witness the sarcasm

    Oh I witnessed it.

    I don't have a problem with things being complicated or complex. The problem comes when that complexity is glossed over like: just use ${today's buzzword application thing}. These big buzzword-of-the-day apps and 'things' (I don't know what else to call these blancmanges) all promise a lot. They only deliver if you have people who know what they are doing. Anyone who says that it is easy is probably doing it wrongly or insecurely somewhere along the line.

    -> IBM's Red Hat lays the blame on Kubernetes' focus on productivity rather than security.

    Let's all take a step back into the 1990s or 1980s, with systems and applications with weak-by-design security. Some may claim otherwise, but if the concept of Kubernetes security best practices even exists (it does), then there is the potential for running it with less than best practices.

  7. seven of five

    When people are the problem my hatchet always works the best.

    - Lordi

  8. Howard Sway Silver badge

    the problem, apparently, is us

    No, I think it can be best summarised as follows :

    Step 1 : Containers are great! Developers no longer need to think about infrastructure or security in their code because the container administration manages it.

    Step 2 : Let's get rid of the admins and make developers manage the containers too, and call it DevOps. As they don't have to write as much code, we'll make them learn every detail of this enormously complex deployment platform instead.

    Step 3 : Hell, let's de-staff the security team and make developers manage security on top as well, and call it DevSecOps. And if they make any mistakes, we can blame everything on them!

    1. HildyJ Silver badge

      Re: the problem, apparently, is us

      Step 4 : DevSecOps costs too much. Let's out source it entirely and our accounting department can manage it.

      1. Youngone Silver badge

        Re: the problem, apparently, is us

        We've already outsourced the Finance Department to a really cheap country. Oh, it has a massive cultural problem with corruption. Bugger!

        1. Throatwarbler Mangrove Silver badge
          Flame

          Re: the problem, apparently, is us

          Fucking trigger warning, you guys! I just left Operations, and reading your posts has left me curled up on the floor whimpering with PTSD.

  9. Anonymous Coward
    Anonymous Coward

    So not just me then?

    Mind, I've always suspected that. Especially since to this day I still haven't met someone who actually understands the thing beyond copying and pasting stuff from someone else's blog post.

    Which ties in with what the article says:

    > But before companies can automate Kubernetes, they need people who know what they're doing to write the scripts and configuration files. And finding folks to do that turns out to be the top Kubernetes pain point, cited by 30 per cent survey respondents: "We lack internal talent to use it to its full potential."

  10. Anonymous Coward
    Anonymous Coward

    I should invite you all to my local for a pint or two and explain how kubernetes works, but I'm too busy writing "thank you for reaching out, but I'm not looking to change roles at the moment" replies on Linked In. We'd do a side conversation around CaC whilst we have some shots later in the evening.

    1. Anonymous Coward
      Anonymous Coward

      Do you mind if I do a side-talk on my new concept?

      I call it Code As Infrastructure (CAI).

      The basic idea is that you have such an exhaustive and onerous change-control and approval process, that it's basically impossible to fix bugs or release features without a multi-month lead time.

      I think it'll make me rich, as I know the mindset is already in place in many businesses so adoption should be huge

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022