The Kubernetes Current Blog

Enterprise Best Practices for Solving the Top Kubernetes Security Risks

Countless developers have adopted Kubernetes to help build cloud-native applications. However, many companies still struggle with managing this new environment.

In the last few years, companies were not only eager to implement digital tools like VPNs, and antivirus security measures but also started looking into ways to enhance their application development process using Kubernetes.

However, our guest today emphasizes that as the number of Kubernetes clusters and containerized applications grows, companies are increasingly exposed to security risks that are not evident when only a couple of clusters are in operation. To discuss the current application landscape we invited Haseeb Budhani, CEO and co-founder of Rafay Systems – a company helping organizations manage their cloud native applications and infrastructure.

How did the idea of Rafay originate? What has your journey been like so far?

My colleagues and I come from Akamai, where we were consumers of a variety of orchestration technologies. We were spending too much time wrestling with infrastructure automation and operations instead of developing the software product we were selling. We felt strongly that there had to be a better way to manage the operations of modern infrastructure and we, therefore, decided to build one at Rafay Systems.

All of us at Rafay believe that modern applications can power a better future and companies deserve to be able to consume a mature, battle-tested, and easy-to-use platform to get up and running with modern apps. Without that, the promises and business value of these cutting-edge applications built on cloud, IoT, and 5G technologies are at risk.

With a combination of an enterprise-grade operations platform and expert services, Team Rafay helps enterprise platforms and SRE teams create a modern operations practice (built on Kubernetes) to support their modern infrastructure.

Can you tell us a little bit about your Kubernetes Operations Platform? What are its key features?

Rafay Systems offers the industry’s only cloud-built Kubernetes Operations Platform that augments the enterprise platform team through a broad set of services needed to accelerate application modernization initiatives. With Rafay’s unified platform, teams can operate modern application infrastructure at scale across public clouds, data centers, and the Edge — delivering enterprise-grade control and governance to application deployment workflows across both Kubernetes infrastructure and modern applications. The full suite of turnkey services on Rafay’s Kubernetes Operations Platform includes:

Multi-Cluster Management

• GitOps

• Zero-Trust Access

• Kubernetes Policy Management

• Backup and Restore

• Visibility and Monitoring

• Virtual machine support

• Chargeback and cost management

• Support for highly tuned Edge use cases

This breakthrough approach brings a new and much-needed operations mindset to the increasingly outdated Kubernetes Management market. With the Rafay Kubernetes Operations Platform, platform teams enjoy centralized visibility, management, and automation across once disparate processes and systems, resulting in the improved delivery of modern applications.

How do cybercriminals take advantage of unprotected developer workload? What is the worst that can happen?

Cloud and Kubernetes have become a standard but security remains one of the top inhibitors to modern application development. To reduce security risks, organizations can’t manage access control on a cluster-by-cluster basis. Not finding a scalable approach leads to misconfigurations, vulnerabilities, and failed compliance audits.

Security incidents are occurring and many of the companies breached — like Microsoft, Docker, and Jenkins — aren’t new to Kubernetes. In fact, a recent survey found 94 percent had experienced security incidents last year! Teams deploying Kubernetes have to do everything possible to ensure their infrastructure is secure, at scale. Otherwise, hackers can take over clusters and workloads and use that cloud compute for their own applications or even mine bitcoin!

Traditional IT network security is based on a castle-and-moat model where users inside the castle are trusted by default. The fundamental problem with this approach is that once an attacker gains access to the network, they have access to everything inside.

In contrast, Rafay has built a zero-trust solution. Zero-trust assumes that all actors, systems, and services cannot be trusted. It draws on technologies such as authentication, authorization, and encryption and is continuously validated for security configuration and posture to ensure compliance:

Authentication: The process of verifying the identity of a user or process.

Authorization: An authenticated user or service also has to be authorized to perform the requested function.

Encryption: Cryptography is at the core of zero-trust, enabling data to be encrypted and signed. Public-key cryptography can enable identification, authentication, and secure data transport.

How did the recent global events affect your field of work? Were there any new features added to your platform?

Several global events have had a significant impact on our line of work, including the COVID-19 pandemic and the war in Ukraine. These events have resulted in hiring and budget freezes, changing workforce and workplace environments, and a push for innovation to support businesses and consumers with a new normal.

During the past two years, companies have realized that they need to diversify IT infrastructure, and support a remote workforce. That means developing new, innovative applications and moving existing applications to the cloud for better reach and redundancy. Rafay’s platform has directly supported multiple companies’ migration to the cloud, helping platform teams ensure that applications (and the underlying modern infrastructure) are available and secure in public clouds, private data centers as well as remote/edge locations.

In your opinion, which industries should be especially attentive to implementing application security?

All industries need to pay special attention to implementing security policies and practices in order to eliminate the risk associated with modern application delivery and minimize the risk of deploying new applications.

Industries with heavy regulation – ones that deal with privacy and customer data in particular – need to adhere to the strictest standards. Healthcare, financial services, government, retail, biotech, food, and transportation industries, in particular, need to employ the resources and leverage the measures necessary to develop and deliver modern software.

Why do you think certain companies hesitate to try out new and innovative solutions that would enhance their development operations?

Trying out new solutions requires companies to invest in in-house resources to learn and implement these new technologies. Attracting new talent with the necessary skill set, or leveling up the existing team’s skillset, are both massive investments of time and resources. Beyond getting the basics right, companies also need to invest in the automation, security, visibility, and governance on top of their new automation layer to reduce the burden and overhead associated with scaling new technologies.

The “do-it-yourself” mantra is an important consideration here. What most companies don’t realize is that new technologies often come with a lot of promise for innovation, but it takes a lot of resources to truly extract value from said innovation. If you’re adopting new technology like Kubernetes, companies are better off leveraging off-the-shelf platforms built to address the automation, governance, security, and visibility requirements in order to take advantage of the new solution. This is where we are seeing a lot of companies falling short and where Rafay can help immediately.

What are the best practices companies should follow when developing, and, when launching applications?

As the number of Kubernetes clusters and containerized applications grow, companies are increasingly exposed to security risks that are not evident when operating only a few clusters and applications. At Rafay, we believe the cornerstone of modern security can be built on zero-trust architectures to enable controlled, audited access for developers, SREs, and automation systems to your Kubernetes infrastructure. This zero-trust access should be augmented with just-in-time service account creation and user-level credentials management integrated with your enterprise’s access control and sign-on systems.

Companies need to incorporate the following practices not only to eliminate risk and vulnerabilities but also need to ensure that these practices do not, in any way hinder productivity:

Role-based access control with fine-grained permissions and clear separation of duties. Many teams are involved in the DevOps workflow across development, QA and production environments. Teams need to ensure that developers, QA, DevOps, and Ops/SREs teams have the right access based on their roles and responsibilities.

A seamless single sign-on experience whereby corporate directories such as Okta, AzureAD, etc., can be leveraged to enable end-user access to Kubernetes infrastructure.

Centralized policy management such that the resident experts are able to configure enterprise-grade policies that can be enforced across all Kubernetes infrastructure while allowing for centralized detection and reporting of policy violations.

An end-to-end audit trail of all admin and user activity across all clusters and applications, providing forensic information of all activity for long-term analysis.

Seamless integration with management platforms such as HashiCorp Vault that requires zero application developer burden.

Talking about cybersecurity, what measures or practices do you think every modern company should have implemented?

For Kubernetes, the Kube API (or kubeapi) endpoints are at the center of all operations for a Kubernetes cluster. Securing access to the kubeapi endpoint is the first line of defense to protect the cluster. Companies should NEVER expose the kubeapi endpoint to the Internet. Using jumphosts or VPNs is also not advisable, since those are all network-based and not zero-trust-based solutions

Additionally, it’s important to make sure different roles (developers, SREs, security analysts, etc.) are given different, controlled, and audited levels of access. No developer needs to write access to a production cluster, so ensure that such is the case, for example.

What does the future hold for Rafay?

Rafay continues to push the envelope on enterprise-grade Kubernetes management and operations. We release major updates to our cloud-made platform every month. As a result, every one of our customers is able to take advantage of new features immediately. By the end of this year, the platform will support more turnkey workflows for Platform and SRE teams to help them manage their Kubernetes fleets easily, easily chargeback for usage, and manage intra- and inter-cluster networking policies, and more.

We also intend to open-source our zero-trust access capabilities to the community to help the community improve its Kubernetes access posture easily.

This interview was originally held and published by


Trusted by leading companies