Full Report
Secure your applications across the SDLC by deploying only trusted images and monitoring your Kubernetes control plane in near-real time to detect potential threats.
Analysis Summary
# Best Practices: Securing Containerized Applications and Kubernetes Environments
## Overview
These practices focus on mitigating risks associated with containerized applications and Kubernetes orchestration by securing the entire software development lifecycle (SDLC), ensuring image trust, and establishing real-time threat detection within the execution environment. A significant risk identified is the deployment of container images containing known vulnerabilities (52% of exposed pods analyzed contained vulnerable images).
## Key Recommendations
### Immediate Actions
1. **Implement Image Scanning in CI/CD:** Integrate container image scanning tools (like Wiz CLI) into the Continuous Integration/Continuous Deployment (CI/CD) pipeline to check for vulnerabilities, sensitive data, and secrets *before* artifacts are built or pushed to registries.
2. **Establish Image Trust Gates:** Configure admission controllers within Kubernetes to enforce policies that only allow deployment of images that have been validated (scanned and approved) within authorized CI/CD pipelines.
3. **Activate Kubernetes Audit Log Ingestion:** Immediately begin collecting Kubernetes cluster audit logs across all environments (EKS, AKS, GKE, self-managed) to gain centralized, near real-time visibility into control plane activities.
### Short-term Improvements (1-3 months)
1. **Enforce Organizational Security Baselines:** Define and enforce specific security baselines that container images must meet (e.g., maximum acceptable CVE count, no hardcoded secrets) for them to be marked as "trusted golden images."
2. **Correlate Threat Data:** Configure security platforms to correlate Kubernetes audit logs with existing workload (container/host-level) activity and cloud control plane logs to detect suspicious behavior patterns (e.g., anonymous access followed by role creation).
3. **Phase Out Legacy Manual Validation:** Aim to replace manual image integrity verification (e.g., maintaining separate Cosign/Notary infrastructure) by leveraging integrated solutions that combine CLI scanning and admission control for policy enforcement.
### Long-term Strategy (3+ months)
1. **Develop Defense-in-Depth Strategy:** Architect security tooling to provide coverage across the entire application lifecycle: build time (code/image scanning), deployment time (admission control), and runtime (control plane monitoring and sensor-based detection).
2. **Standardize Control Plane Monitoring:** Implement an agnostic mechanism for collecting and normalizing Kubernetes audit logs across disparate cloud environments to simplify operational overhead and standardize threat response workflows.
3. **Continuously Refine Policies:** Regularly review and update organizational security policies applied to image deployment based on evolving threat intelligence and security findings within production environments.
## Implementation Guidance
### For Small Organizations
* **Focus on Image Integrity:** Prioritize setting up basic vulnerability scanning tied directly to image pushes. Use integrated security tooling that minimizes external infrastructure dependencies (like dedicated signing servers) for initial policy enforcement.
* **Leverage Unified Platforms:** Choose security solutions that bring visibility across code, container, and runtime layers through a singular agentless or minimal-agent approach, reducing the need to manage disparate siloed tools.
* **Start Log Collection:** Begin collecting control plane logs for a single, high-value cluster to familiarize the team with anomaly detection patterns.
### For Medium Organizations
* **Formalize CI/CD Gating:** Standardize the security gates within the primary CI/CD pipelines (e.g., Jenkins, GitLab Runners) to reject builds that fail policy checks (secrets, vulnerabilities).
* **Automate Log Ingestion:** Deploy standardized mechanisms (e.g., using cloud-native log services or a centralized platform collector) to ensure all key Kubernetes clusters are streaming audit logs automatically.
* **Establish Response Playbooks:** Create documented, simple playbooks for common alerts generated by correlated audit logs (e.g., alerts on unauthorized configuration changes).
### For Large Enterprises
* **Mandate Golden Image Usage:** Implement strict organizational mandates requiring that all production deployments reference only images sourced from an approved, pre-scanned, and signed repository (a "golden image" catalog).
* **Adopt Agentless/Sensor Defense-in-Depth:** Utilize tooling that combines agentless risk posture assessment with runtime sensors for deep context, ensuring coverage across both Kubernetes orchestration layers and the underlying cloud infrastructure.
* **Centralized Contextual Monitoring:** Ensure all collected logs (K8s audit, cloud provider API, workload runtime data) are centrally processed to facilitate complex threat hunting and compliance reporting across vast, multi-cluster environments.
## Configuration Examples
*(The article emphasizes using integrated tooling rather than providing specific open-source configuration files, but the operational configuration goal is clear):*
| Component | Configuration Goal | Action |
| :--- | :--- | :--- |
| **Image Deployment Policy** | Only deploy images validated by Wiz CLI in the CI pipeline. | Configure the Kubernetes Admission Controller to deny any pod creation request unless the image provenance or signature meets the policy requirements enforced by the security platform. |
| **Kubernetes Audit Logs** | Configure all CSP-managed/self-managed K8s API servers (EKS, AKS, GKE) to stream audit logs. | Ensure the log streaming method aligns with the chosen security platform's ingestion requirements, aiming for near real-time delivery to the security sensor/collector. |
| **Threat Detection** | Detect anomalous K8s control plane activity. | Tune correlation rules to flag sequences such as: `(Anonymous K8s API Access) -> (Creation of new ClusterRoleBinding) -> (Suspicious network activity from new pod)`. |
## Compliance Alignment
* **NIST CSF:** Detection, Protect (Supply Chain Security).
* **ISO 27001:** A.14 (System acquisition, development, and maintenance) regarding secure development practices; A.12 (Operations security) for monitoring.
* **CIS Benchmarks for Kubernetes:** Direct alignment with controls regarding API server auditing and deployment restrictions.
## Common Pitfalls to Avoid
* **Siloed Tooling:** Do not rely solely on tools that analyze only the pipeline (ignoring runtime) or only the cluster (ignoring the image source). Security tooling must provide full context across the SDLC.
* **Ignoring Cloud Context:** Monitoring Kubernetes controls in isolation is insufficient; the security posture must account for the underlying cloud environment where the clusters reside.
* **Over-reliance on Legacy Trust Models:** Do not maintain complex, manual signing/key infrastructure when integrated, automated policy enforcement via Admission Controllers is available, as this adds operational friction and potential failure points.
* **Vulnerability Acceptance:** Do not allow images with known high-severity vulnerabilities to reach production, as this is a primary vector for initial compromise according to observed data.
## Resources
* Wiz Documentation on Admission Controller Image Trust CI/CD configuration [defanged URL placeholder: wiz-docs/ac-image-trust-cicd]
* Wiz Documentation on Kubernetes Audit Log Collector [defanged URL placeholder: wiz-docs/kubernetes-audit-log-collector]
* Wiz Academy: Introduction to Container Security [defanged URL placeholder: wiz.io/academy/what-is-container-security]
* Kubernetes Security for Dummies Guide [defanged URL placeholder: wiz.io/lp/kubernetes-security-for-dummies]