MMS • Matt Campbell
Fairwinds, a provider of Kubernetes software, has released their Kubernetes Benchmark Report 2023. The report shows an overall trend of worsening configuration issues across the surveyed organizations. This includes increases in organizations running workloads allowing root access, workloads without memory limits set, and workloads impacted by image vulnerabilities.
Last year, the report found that, in general, less than 10% of workloads were impacted by poor or improper configurations. This year, they found the spread to be more varied across the domains of reliability, security, and cost governance. The report provided some hypotheses as to why the overall trend year-over-year is towards more poorly configured workloads:
It’s clear DevOps teams are outnumbered and we need to do better as a community to support them. As Kubernetes usage expands, it’s harder for DevOps to manage configuration risk introduced by new teams.
The report surveyed over 150,000 workloads across hundreds of organizations. They found a 22 percentage point increase from last year in workloads that allow root access. They also saw an increase in workloads potentially impacted by image vulnerabilities with 25% of organizations having 90% of their workloads at risk. This is an increase of over 200% from last year’s report.
This is worrisome as a recent report from Orca Security found that the average attack path only requires three steps to reach business-critical data or assets. Combining root privileges with a potential image vulnerability, such as log4j, provides that initial entry point. The Orca Security report found that 78% of attack paths use a known exploit (CVE) as their initial access point.
The Fairwinds report did find that organizations that implemented Kubernetes guardrails in either shift-left approaches or at deployment time were able to correct 36% more issues where CPU and memory configurations were missing over those organizations without guardrails. In addition, organizations employing guardrails corrected 15% more image vulnerabilities than those not using them.
Danielle Cook, VP of Marketing at Fairwinds, explains that “[a]s Kubernetes usage expands, it’s harder for DevOps teams to manage configuration risk introduced by new teams.” Compounding this issue is identifying which team is responsible for building these guardrails and ensuring the configuration is correct. A survey by Armo found that 58% of respondents believe that the DevSecOps teams should own these solutions. The report also found that only 10% of respondents believed their teams were experts in handling the security of their Kubernetes environments.
Many agree that it is becoming harder for teams to understand and manage all the risks associated with their development activities, infrastructure, and tooling. Paula Kennedy, Chief Operating Officer at Syntasso, shares the impact this heavy cognitive load can have:
This is an on-going struggle for anyone trying to navigate a complex technical landscape. New tools are released every day and keeping up with new features, evaluating tools, selecting the right ones for the job, let alone understanding how these tools interact with each other and how they might fit into your tech stack is an overwhelming activity.
Fairwinds reports that guardrails or paved paths can help teams with following best practices. As Kennedy notes, these approaches help “to streamline the number of tools offered, reduce the cognitive load of too many options, as well as reduce technical bloat of the platform.”
For more results from the Fairwinds Kubernetes Benchmark Report 2023, users are directed to the Fairwinds site.