Background
Security concerns remain the number one challenge for adopting and running containerized applications in Kubernetes. Red Hat’s State of Kubernetes Security Report, which analyzed survey data from over 500 IT and security decision-makers, discovered a similar trend. The report revealed that 59% of respondents are most worried about unaddressed security and compliance needs or threats to containers.
Challenge
Some of the most common issues found on Kubernetes are:
- Container Escapes & Privilege Escalation. Malicious players can leverage a containerized application’s vulnerabilities to breach its isolation boundary, gaining access to the host system’s resources.
- Improper Secret Management. Pretty much any application you build is bound to store sensitive data of some kind, whether it is the organization’s or the user’s. These secrets are often the only thing standing between an attacker and complete access to your internal systems.
- Compromised Container Images and Registries. Plenty of organisations use open-source base images when building their own container images. These can’t be blindly trusted, as they might contain vulnerabilities or security misconfigurations, and in some cases, even hidden malware that could cripple the build.
Solution: K8s with Confidential Containers
enclaive’s Confidential Container comes with a series of inbuilt features to address the above challenges, that can harm the security of Kubernetes clusters.
- Data in Use Encryption. Every container shields applications and data during execution. In the light of a container escape, the attacker may escalate privileges and gain root access to the underlying system. Nevertheless, with access to the host system, the attacker cannot extract valuable data and secrets from the other containers. The reason is confidential containers are throughout their execution fully memory encrypted and protected. Dumping the memory gives ciphertexts only. Attempts of altering the memory or file system are detected through cryptographic integrity protection.
- Container Secret Key Provisioning. Secrets like environment variables, files, passwords, or cryptographic keys are never stored in a confidential container. A key management service (KMS) provisions the secrets into the confidential container through a TLS-like protocol. The KMS verifies the authenticity of the containers and makes sure, only the right confidential containers obtain the secrets.
- Container Authentication & Attestation. Confidential Containers have a cryptographic identity. The authorship is verifiable, allowing the implementation of finer-grained white-labeling mechanisms as well as proactive user protection: Remote attestation allows for on-the-fly scanning of outdated or vulnerable containers in use based on their cryptographic identity.
Recommended Confidential Containers
enclaive offers a large portfolio of Confidential containers to shield Kubernetes clusters against the above-mentioned attack vectors. Prominent examples include
 ArangoDB |
 MariaDB |
 MongoDB |
 Redis |
|
 Nodejs |
 Python |
 Rust |
 Go |
 PHP |
 Ruby |
 Java |
 C |
 C++ |
 C# |
 Mosquitto |
 Nginx |
 WordPress |
 Umami |