Containers Security: An Essential Guide to Protecting Kubernetes

The modern cybersecurity landscape is swamped with new threats. Breaches are inevitable. It’s not a question of if but when you will be breached.

This means you can’t assume there’s any environment in your network that’s secure against threats. Containers are an increasingly popular target for attackers. While they’re a powerful DevOps tool, they bring unique security challenges, especially when layered onto other infrastructures.  

In this post, I’ll explain why you need to pay attention to containers security and how Illumio can help you secure your Kubernetes environments.

Containers aren't secure by default

Containers are typically managed by Kubernetes or OpenShift. Given their dynamic and short-lived nature, many assume that Kubernetes environments are less susceptible to threats. This simply isn’t true.

The security misconceptions about containers mirror the early days of VMs, where the same assumption was quickly proven wrong. Containers face their own set of security threats just like any other environment. Attackers breach containers with familiar goals in mind, such as financial gain, data espionage, infrastructure disruption, cryptomining, and botnet deployment for DDoS attacks.

Kubernetes faces several unique challenges in securing a cluster:

The security risk around containers has been proven time and again:

• Siloscape, Hildegard, and cr8escape malware use a technique called thread impersonation to breach a network via containers. They don’t target the Kubernetes cluster directly. Instead, they use the cluster to “escape” down to the underlying node and execute malicious code from there. This can disrupt the infrastructure, potentially bringing down the entire hosted Kubernetes cluster from below.

• Kinsging malware looks for common PostgreSQL server misconfigurations in containers which it uses to deploy additional pods for executing malicious cryptomining code. While this malware doesn’t extract data, it uses the cluster’s resources for free which increases the owner’s costs.

• Supply chain attacks like SolarWinds and CodeCov infiltrated Kubernetes clusters through external code repositories which bypassed traditional security measures.  

How does malware spread in Kubernetes?

All cyber threats have one thing in common: They want to move. Attackers aim to spread laterally to other resources once they enter the environment, eventually reaching their target.  

Malware spreads by taking advantage of human behavior or open ports, no matter the environment.

Unfortunately, people are the weakest link in cybersecurity. Regardless of their training, users may inadvertently click risky links, allowing malware to enter into the network. Once inside, malware scans for open ports to spread to other workloads.  

Malware traditionally uses open RDP, SSH, or SMB ports to deliver payloads to other workloads. Similarly, Kubernetes clusters often have open ports used by NodePort and Kubelet which make it easy for attackers to spread through Kubernetes workloads.  ‍

Protecting Kubernetes: Combine microsegmentation with threat detection

The cybersecurity industry has traditionally taken a detect-and-response approach. Threat-hunting detection tools monitor workloads and applications for unusual behavior. If they find something malicious, security teams then work to eradicate the threat.  

But no matter how fast these detection tools are, today’s threats can spread faster. Even worse, once a breach has been detected, it likely has already spread through the environment. Organizations can’t expect detection tools to be 100% effective.  

We know that breaches spread between workloads over open ports. This means we don’t need to understand the intent of a threat to prevent it from spreading. It's much more effective to monitor and enforce segments first.  

By restricting communication between workloads, you prevent threats from spreading regardless of their intent. And you give your detection tool time to identify the threat.

For example, if someone is trying to break down the door to your house, you don’t first ask them if they’re a criminal and then decide to lock your door or not. You lock the door first and ask questions later.

Segmentation is foundational to any security architecture. Rather than wasting time determining a threat’s purpose, block its pathway immediately. This contains the breach and stops it from spreading further into the network.

Illumio’s approach to containing breaches in Kubernetes

Illumio assumes that a breach will eventually happen in any environment, including Kubernetes. There are several ways that the Illumio platform supports Kubernetes security.

Build proactive microsegmentation

By enforcing microsegmentation across all workloads, Illumio contains breaches at their entry point, preventing them from spreading throughout the network. This means organizations can survive an active breach without impacting their operations.

Automate detection and containment with third-party integrations

Illumio also integrates with third-party detection platforms like to automate the process of detecting and containing threats.  

If zero-day malware is using a port Illumio is allowing, these integrations will share this with the Illumio platform. In response, Illumio will automatically apply security policy to close security gaps and reduce risk before malicious actors can exploit them. 

This means you can implement granular segmentation controls based on real-time threat intelligence, reducing the attack surface and automatically containing breaches. 

Simplify Kubernetes DevSecOps  

Security operations in Kubernetes require security policy to be part of automation workflows used during containerized development cycles.  

With Illumio, you can get Kubernetes visibility and workload enforcement within the same global workflow used across all environments.  

Contain breaches in Kubernetes with Illumio

Attackers want to spread everywhere — even in Kubernetes. And if you can't stop them from spreading, your organization could be tomorrow’s news headline.

Illumio can keep you out of the news by helping you contain breaches, reduce risk, and build resilience. Map traffic and contain breaches across your entire hybrid multi-cloud, inside and outside Kubernetes.  

Contact us today to learn how Illumio can contain breaches in your containers environments.