Updated: Oct 6, 2020
Kubernetes is becoming the de-facto orchestrator for the container, steadily gaining both mindshare and market share. A lot of companies use Kubernetes managed service (Azure AKS, Google GKE, AWS EKS) and assume that the cloud providers will take care of security.
While they do take care of the control plane, the security of nodes, networking policies, and pod security is the customer’s responsibility, also called the shared responsibility model (AWS shared responsibility images below)
Fig. 1: Shared Security Model for AWS Managed Node Groups
Fig. 2: Shared Security Model for AWS EKS
As you move from self-managed to managed to Fargate they pick up more responsibility like offering k8s optimized node images, patching node OS, keep k8s up to date, and scaling worker nodes with the load.
The customer is always responsible for
Network segmentation - network policies
Pod security policies
Container Image and Data
There are other commercial distributions like Rancher which allow Kubernetes deployments to be cloud-agnostic. Most of these platforms are focused on speed and agility and it might be good to evaluate the shared responsibility model.
At Araali our goal is to make it easy for customers to take care of this shared responsibility matrix with few simple commands (demo).