Kubernetes-Security Best Pratiques

The state
of Kubernetes
security report
2024 edition
A Red Hat® report

Executive summary
Executive summary
About this report
Key findings
Cloud-native technologies are changing the way organizations develop,
Finding 1:
Security issues impact deploy, and scale applications. The inherent scalability, agility, and flexibility of
business outcomes
cloud infrastructure lets businesses speed time to market, improve efficiency,
Finding 2:
Security breaches and enhance innovation. However, as cyberattacks become increasingly
affect everyone
sophisticated, robust security measures are key to safeguarding sensitive data,
Finding 3:
Security incidents occur
protecting against breaches, and complying with regulatory standards across
in all life cycle phases hybrid cloud environments. In response, many IT organizations are investing in
Finding 4:
advanced security platforms and implementing collaborative, security-focused
Security strategies
present concerns processes to protect critical systems, workloads, and data. In fact, IT security is a
Finding 5: top funding priority for nearly 50% of companies.1
Responsibility for
security is decentralized
With a focus on container workloads and Kubernetes, Red Hat and Illuminas
Finding 6:
DevSecOps practices surveyed DevOps, engineering, and security professionals around the world in
are common
organizations ranging from small companies to large enterprises. Based on this
Finding 7:
Kubernetes brings data, the 2024 edition of the State of Kubernetes security report examines some
new security challenges
of the most common cloud-native security challenges and business impacts that
Finding 8:
Organizations are working
organizations experience today. We investigate specific security risks that most
on high-risk issues concern organizations—including software supply chain and application runtime
Finding 9:
vulnerabilities—and the steps organizations take to mitigate them. We identify
Security issues can lead
to serious consequences the types and frequencies of security incidents that organizations experience
Finding 10: in Kubernetes environments. We look at the distribution of Kubernetes security
Risk management is key
for software supply chains responsibilities across development, security, and operations teams to reveal
Finding 11: the latest trends in DevSecOps adoption. And, finally, we provide guidance for
Software supply chain
security worries are real reducing risks throughout your application life cycles.
Finding 12:
Tools support software Although challenging, comprehensive container and Kubernetes security can
supply chain security
help you speed innovation and deliver more value for your organization. Using
Finding 13:
Organizations use
our survey results, you can evaluate your own Kubernetes security to find areas
open source tools for of improvement and gain insights for reducing security gaps. By continuously
Kubernetes security
refining your security measures, you can protect critical business assets and
Enhance your container
and Kubernetes security create a culture of proactive security, ensuring the integrity and resilience of your
About our respondents infrastructure and applications.
Get started with Red Hat
Advanced Cluster Read on to discover 13 key findings from our survey.
Security for Kubernetes
1 Red Hat report. “2024 global tech trends,” February 2024. 2

About this report
Executive summary
About this report
Key findings
For the 2024 edition of this report, Red Hat sponsored a survey of 600
Finding 1:
Security issues impact DevOps, engineering, and security professionals in the United States (U.S.), the
business outcomes
United Kingdom (U.K.), and the English-speaking Asia Pacific region (APAC)
Finding 2:
Security breaches to understand emerging trends in containers, Kubernetes, and cloud-native
affect everyone
security. Data was gathered through 21-minute online and phone interviews with
Finding 3:
respondents sourced from online panels and 3rd-party databases. The survey
in all life cycle phases was conducted in December 2023 and January 2024.
Finding 4:
Security strategies Respondent profile:
present concerns
Finding 5: ► IT professionals focused on applications, platforms, infrastructure, operations,

Responsibility for
security is decentralized security, or software architecture or development
Finding 6:
DevSecOps practices ► From companies with more than 100 employees
are common
Finding 7:
► From companies that have an internal application development team
Kubernetes brings
► From companies that currently use containers
Finding 8:
on high-risk issues
Finding 9:
Security issues can lead Respondent demographics
to serious consequences
600
Finding 10:
for software supply chains
Finding 11: total reponses DevOps Engineering Security

Software supply chain gathered professionals professionals professionals
security worries are real
Finding 12:
Tools support software
26% Technology
Finding 13: 25% 100-499 employees 25% Financial services
Organizations use
24% 500-999 employees 24% Telco, media,
open source tools for
52% >1,000 employees and entertainment
Kubernetes security
26% Other industries
and Kubernetes security
About our respondents

Advanced Cluster
3
Key findings
Executive summary
About this report
Key findings
Once again, our survey generated a lot of insight into how organizations approach
Finding 1:
Security issues impact Kubernetes security. Here are the highlights:
business outcomes
Finding 2:
Security breaches
67%
affect everyone
of organizations delayed or slowed down
Finding 3:
deployment due to Kubernetes security concerns.
in all life cycle phases
Finding 4:
46%
Security strategies
present concerns of organizations lost revenue or customers due
Finding 5: to a container or Kubernetes security incident.
Responsibility for
Finding 6:
42%
DevSecOps practices
are common of respondents cite security as a top concern
Finding 7: with container and Kubernetes strategies.
Kubernetes brings
42%
Finding 8:
Organizations are working of respondents report having DevSecOps initiatives
on high-risk issues
in an advanced stage in their organization.
Finding 9:
48%
Finding 10:
Risk management is key of organizations have early-stages DevSecOps initiatives,
with teams collaborating on joint policies and workflows.
Finding 11:
33%
Finding 12:
Tools support software of respondents believe that their existing container and
Kubernetes security solution slows down development.
Finding 13:
Organizations use
Kubernetes security
30%
of respondents identified vulnerabilities as the biggest
and Kubernetes security worry for their container and Kubernetes environment.

Advanced Cluster
Security for Kubernetes Keep reading to discover more about these findings.
4
Executive summary Finding 1:
About this report
Key findings Security issues continue to

impact business outcomes
Finding 1:
Security issues impact
business outcomes
Finding 2:
Security breaches
affect everyone
Security issues forced 67% of companies to delay
or slow down application deployment.
Finding 3:
Finding 4:
Security strategies Worldwide, organizations adopt cloud-native technologies like Kubernetes and
present concerns
microservices-based architectures to transform how they build, run, and scale
Finding 5:
Responsibility for applications. While some organizations develop all new software as microservices,
many refactor existing applications using container-based technologies. In either
Finding 6:
DevSecOps practices case, containers can speed development and release cycles while increasing
are common
flexibility to run and manage applications across hybrid environments. However,
Finding 7:
Kubernetes brings incomplete security throughout the application life cycle—from development to
deployment and maintenance—can diminish these valuable benefits. In fact, our
Finding 8:
survey found that 67% of respondents have delayed or slowed down deployment
on high-risk issues of container-based applications due to security concerns.
Finding 9:
Finding 10:
Have you ever delayed or slowed down application deployment
for software supply chains into production due to container or Kubernetes security concerns?
Finding 11:
34%
Finding 12:
supply chain security Yes
Finding 13:
Organizations use
open source tools for No
Kubernetes security

and Kubernetes security 67%

Q27. Have you ever delayed or slowed down application deployment into production due to container or Kubernetes security concerns?
Advanced Cluster Base size: Total = 600
Percentages may not add to 100% due to rounding.
5
About this report
Key findings Security breaches

affect everyone
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
Security incidents lead to broad consequences,
including employee termination and loss of revenue.
Finding 3:
Finding 4:
Security strategies The impact of container and Kubernetes security issues can go well beyond
present concerns
delayed application deployments. 26% of respondents said that a security
Finding 5:
Responsibility for incident led to employee termination, while 30% reported that their organization
was fined as a result of the incident. In these situations, the loss of valuable
Finding 6:
DevSecOps practices talent, knowledge, and experience can significantly impact operations, while fines
are common
and negative publicity can place significant financial burdens on businesses.
Finding 7:
Kubernetes brings
46% of respondents also revealed that their organization experienced revenue
Finding 8:
or customer loss as a result of a security incident. Security breaches can slow
Organizations are working business growth when teams delay projects or product releases while they work
on high-risk issues
to remediate issues. And as customers lose trust in a business’s data protection
Finding 9:
Security issues can lead abilities, they may turn to competitors that engage in more secure practices.
Finding 10:
Finding 11:
In the past 12 months, have you experienced any of the following impacts to your business
Software supply chain as a result of containers/Kubernetes security or compliance issues or incidents?
53%
Finding 12:
46%
Finding 13:
Organizations use
30% 26%
Kubernetes security

Project delays Revenue or Fines, legal action, Employee
or disruptions customer loss or lawsuits termination
Advanced Cluster
Security for Kubernetes Q29. In the past 12 months, have you experienced any of the following impacts to your business as a result of containers/Kubernetes security
or compliance issues or incidents? Base size: Total = 600
6
About this report
Key findings Security incidents occur in all

application life cycle phases
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
Nearly 9 in 10 organizations had at least 1 container
or Kubernetes security incident in the last 12 months.
Finding 3:
Finding 4:
Security strategies Security incidents are not confined to running applications. Instead, container-
present concerns
and Kubernetes-related security incidents can impact all phases of the
Finding 5:
Responsibility for application life cycle. While 45% of respondents reported that their organizations
experienced runtime incidents in the last 12 months, an almost equal number
Finding 6:
DevSecOps practices (44%) said they encountered issues in build and deployment phases, citing
are common
major vulnerabilities to remediate. At the same time, 40% said their organization
Finding 7:
Kubernetes brings detected misconfigurations in their container or Kubernetes environments, and
26% reported that their organization failed an audit.
Finding 8:
Organizations are working Containers and Kubernetes technologies can increase productivity through
on high-risk issues
cross-functional features and simplified operations. While Kubernetes provides
Finding 9:
Security issues can lead mechanisms like network policies and role-based access control (RBAC) to
enhance security across your cluster, some features are overly permissive or
Finding 10:
Risk management is key disabled by default and require additional configuration to ensure sufficient
protection. Additionally, while security controls like SELinux can significantly
Finding 11:
Software supply chain increase application security, they can be challenging to customize and
integrate into an operational environment. These difficulties frequently surface
Finding 12:
Tools support software as security incidents, vulnerabilities, and misconfigurations at different stages
of the application life cycle. Our survey results show that many organizations
Finding 13:
Organizations use
still struggle with the complexity of securing container-based Kubernetes
open source tools for environments, as 89% reported at least 1 related security incident during the
Kubernetes security
last 12 months.

Advanced Cluster
7
Executive summary
About this report In the past 12 months, what security incidents or issues related
to containers and/or Kubernetes have you experienced?
Key findings
Finding 1:
Security incident
business outcomes during runtime 45%
Finding 2:
Major vulnerability
Security breaches
affect everyone to remediate 44%
Finding 3:
Detected misconfiguration 40%
Finding 4:
Security strategies Failed audit 26%
present concerns
Finding 5:
Responsibility for None 11%
Finding 6:
DevSecOps practices Q28. In the past 12 months, what security incidents or issues related to containers and/or Kubernetes have you experienced? Base size: Total = 600
are common
Finding 7:
Kubernetes brings
Finding 8:
on high-risk issues
Finding 4:
Finding 9:
Current container security
Finding 10:
strategies present concerns
Finding 11:
42% of respondents believe that their company
Finding 12: does not sufficiently invest in container security
supply chain security or address related threats.
Finding 13:
Organizations use
open source tools for As organizations adopt container environments to streamline application
Kubernetes security
deployment and scalability, they must also adapt their security processes to
and Kubernetes security these dynamic and distributed systems. Kubernetes and containers introduce
About our respondents new software layers that can increase complexity and introduce additional
Get started with Red Hat security risks to critical infrastructure. With added potential entry points for cyber
Advanced Cluster
8
Executive summary threats, robust security measures are needed to protect against vulnerabilities,
About this report unauthorized access, and data breaches. Even so, some respondents are
Key findings skeptical of their company’s container strategy. In fact, 23% believe that their
Finding 1: organization’s strategy does not sufficiently address container security threats,
business outcomes while 19% think that investment in container security is inadequate.
Finding 2:
Security breaches Comprehensive container and Kubernetes security starts with understanding the
affect everyone
complexity and potential security risks of modern environments. By implementing
Finding 3:
Security incidents occur controls that encompass all layers of the software stack—including the underlying
infrastructure, Kubernetes control plane, network, and container images and
Finding 4:
registries—you can begin to minimize risks to your cloud-native applications.
Security strategies
present concerns
Finding 5:
Responsibility for
security is decentralized What is your biggest concern about your company's container strategy?
Finding 6:
DevSecOps practices
are common
Finding 7:
It doesn’t sufficiently address
Kubernetes brings
container security threats 23%
Net security
Finding 8: 42% concerns
on high-risk issues
Inadequate investment
Finding 9: in container security 19%
Finding 10:
It is progressing too slowly 19%
Finding 11:
security worries are real Neglects compliance
requirements and standards 14%
Finding 12:
supply chain security Fails to accommodate necessary
cultural or process changes 13%
Finding 13:
Organizations use
It doesn’t address
Kubernetes security skills gaps on our team 11%
Q7. What is your biggest concern about your company's container strategy? Base size: Total = 600
About our respondents Percentages may not add to 100% due to rounding.

Advanced Cluster
9
About this report
Key findings Responsibility for security

is highly decentralized
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
Only 1/3 of respondents say their security teams
are responsible for Kubernetes security.
Finding 3:
Finding 4:
Security strategies In many organizations, multiple groups collaborate to build and deploy workloads
present concerns
in container-based Kubernetes environments. Our survey results show that there
Finding 5:
Responsibility for is no single role responsible for Kubernetes security across organizations.
Finding 6:
DevSecOps practices
are common
What role at your company is most responsible for container and Kubernetes security?
Finding 7:
Kubernetes brings
Finding 8: Ops
Organizations are working Architect, platform, infrastructure, site 18%
on high-risk issues reliability engineering (SRE), cloud
Finding 9:
Security issues can lead Any ITOps, DevOps,
to serious consequences DevOps 17% 50% or DevSecOps
Finding 10:
Finding 11:
DevSecOps 15%
Finding 12:
supply chain security Security
Cloud security, security
engineering, InfoSec
34%
Finding 13:
Organizations use
Kubernetes security

Developer 16%

Advanced Cluster
Security for Kubernetes Q9. What role at your company is most responsible for container and Kubernetes security? Base size: Total = 600
10
Executive summary In fact, only 34% of respondents overall say that security teams are most
About this report responsible for container and Kubernetes security within their organization.
Key findings Various operations roles, including ITOps, DevOps, and DevSecOps, are
Finding 1: responsible for security at 50% of organizations. Interestingly, APAC
business outcomes organizations are more likely to have a DevSecOps role most responsible (21%).
Finding 2:
Security breaches Advanced Kubernetes security technologies and processes can promote close
affect everyone
collaboration between diverse teams and remove barriers that isolate domain
Finding 3:
Security incidents occur experts. Developers can create and integrate custom software, open source
components, and container images. Security experts can define and implement
Finding 4:
policies and controls across cluster resources. And operations teams can manage
Security strategies
present concerns cluster infrastructure, access controls, and authorization mechanisms—all using a
Finding 5: single set of common security solutions.
Responsibility for
Finding 6:
DevSecOps practices
are common
Finding 7: Finding 6:
Kubernetes brings
DevSecOps practices are

Finding 8:
common across organizations

on high-risk issues
Finding 9:
Finding 10:
42% of respondents have a DevSecOps initiative
for software supply chains in an advanced stage within their organization.
Finding 11:
Organizations continue to adopt DevSecOps practices to identify and mitigate
Finding 12:
Tools support software security risks earlier in their container and Kubernetes deployment processes.
In fact, 42% of respondents say their organization integrates and automates
Finding 13:
security throughout entire application life cycles using DevSecOps processes
Organizations use
open source tools for and tools like automated testing, continuous monitoring, and code reviews.
Kubernetes security
Enhance your container At the same time, 48% report that their organization understands the value of
DevSecOps and is in the early stages of adoption, with development, operations,
and security teams collaborating on joint policies and workflows. This is a
Advanced Cluster significant increase from last year, when only 39% of respondents were at this
11
Executive summary stage. For the remaining 10% of organizations, separate DevOps and security
About this report teams may lead to reactive processes that only address vulnerabilities at
Key findings deployment or runtime, resulting in decreased efficiency, speed, and software
Finding 1: quality, along with slower application delivery.
business outcomes
Finding 2:
Security breaches
affect everyone Do you have a DevSecOps initiative in your organization?
Finding 3:
42% 48% 10%

Finding 4:
Security strategies Yes - it’s in an advanced stage, Yes - it’s in an early state, with No - DevOps and
present concerns
where we’re integrating and DevOps and security collaborating security remain
Finding 5: automating security on joint policies and workflows separate, with
Responsibility for throughout the life cycle minimal collaboration
Finding 6:
Q25. Do you have a DevSecOps initiative in your organization? Base size: Total = 600
DevSecOps practices
are common
Finding 7:
Kubernetes brings
Finding 7:
Finding 8:
Kubernetes environments
on high-risk issues
Finding 9:
bring new security challenges

Finding 10:
Finding 11:
60% of respondents worry about vulnerabilities,
misconfigurations, and exposures in their container
Finding 12:
and Kubernetes environments.
Finding 13: Mitigating vulnerabilities in complex, dynamic Kubernetes and container

Organizations use
open source tools for environments can be challenging. Because containers share host resources like
Kubernetes security
operating system kernels, a single container vulnerability can impact multiple
and Kubernetes security containers. And a vulnerability in a host itself can affect all containers deployed

on the system. Respondents are clearly aware of this challenge, as 33% are most

worried about vulnerabilities in their container and Kubernetes environment.
Advanced Cluster
12
Executive summary A top concern for 27% of respondents, incorrectly configured components—
About this report including base images, libraries, and dependencies—can introduce critical security
Key findings issues across entire environments. If not properly validated and maintained, these
Finding 1: components can serve as potential attack points and compromise the integrity
business outcomes and confidentiality of critical applications and sensitive data.
Finding 2:
Security breaches While these concerns are warranted, they can be mitigated with thorough
affect everyone
security processes. For example, implementing automated, continuous security
Finding 3:
Security incidents occur scanning can help you detect and fix common vulnerabilities and ensure correct
configuration of security-sensitive components.
Finding 4:
Security strategies
present concerns
Finding 5:
Responsibility for Of the following risks, which one are you most worried
security is decentralized about for your container and Kubernetes environments?
Finding 6:
DevSecOps practices
are common
Vulnerabilities
Finding 7: 16%
Kubernetes brings
33% Misconfigurations/
exposures
Finding 8:
on high-risk issues Attacks
Finding 9:
Security issues can lead Failing compliance
to serious consequences Service Organization
Control Type 2 (SOC2),
Finding 10: 24% Payment Card Industry
Risk management is key (PCI), Health Insurance
for software supply chains 27% Portability & Accountability
Act (HIPAA), etc.
Finding 11:
security worries are real Q10. Of the following risks, which one are you most worried about for your container and Kubernetes environments? Base size: Total = 600
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
13
About this report
Key findings Organizations are actively

addressing high-risk issues
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
Coding errors, unprotected sensitive data, poor
network security, and undetected malware present
Finding 3:
Finding 4:
the highest security risks.
Security strategies
present concerns
Finding 5:
Overall, organizations do not have a single top security risk; instead, they are
Responsibility for almost equally concerned about a range of potential issues. From coding
errors (36%) and exposed sensitive data (34%) to poor network security (32%)
Finding 6:
DevSecOps practices and undetected malware (32%), these security risks highlight the need for
are common
comprehensive strategies to mitigate vulnerabilities and safeguard against cyber
Finding 7:
Kubernetes brings threats. Comprehensive analysis of Kubernetes and container components can
identify vulnerabilities and misconfigurations to help you implement targeted
Finding 8:
Organizations are working remediation measures across your container environment. Robust security
on high-risk issues
measures tailored to application requirements can effectively mitigate risks,
Finding 9:
protect sensitive data, and defend against threats. And user-friendly security
controls integrated throughout the entire application life cycle can improve
Finding 10:
compliance and mitigate the risk of human error.
Based on our survey results, organizations are actively working to reduce high-risk
Finding 11:
Software supply chain issues across their container and Kubernetes environments. In fact, more than
half of companies surveyed are focusing on every potential high-risk security
Finding 12:
Tools support software issue. At the same time, 66% of organizations are addressing threats related to
exposed sensitive data, poor network security, overprivileged containers, and
Finding 13:
Organizations use unused components.
Kubernetes security


Advanced Cluster
14
Executive summary
About this report Which of the following are Which of the following high-risk issues
considered high-risk security are you addressing at your company?
Key findings
issues in your company? (Among those who cite each concern)
Finding 1:
business outcomes Coding errors
Finding 2:
36% 63%
Security breaches
affect everyone
Exposed/unprotected sensitive data like secrets
Finding 3: 34% 66%
Poor network security
Finding 4:
Security strategies
32% 66%
present concerns
Finding 5:
Undetected malware
Responsibility for 32% 64%
Finding 6: Unpatched flaws

DevSecOps practices
31% 64%
are common
Finding 7:
Kubernetes brings
Use of insecure/untrusted image repositories
new security challenges 27% 56%
Finding 8: Inadequate access controls
Organizations are working Identity access management (IAM) and role-based access control (RBAC)
on high-risk issues 26% 52%
Finding 9:
Retaining insecure default configurations
26% 56%
Finding 10:
for software supply chains Overprivileged containers
25% 66%
Finding 11:
security worries are real Presence of known fixable vulnerabilities
Finding 12: 25% 53%
Unused components deployed increasing attack surface
Finding 13: 24% 66%
Organizations use
Kubernetes security Stale, unscanned, or unverified images
Enhance your container 23% 59%
About our respondents Exposed network ports

23% 53%
Advanced Cluster
Q13. Which of the following are considered high-risk security issues in your company? Base size: Total = 600
Q14. Which of the following high-risk issues are you addressing at your company? Base size: Among those who cite each concern = 139 - 213
15
About this report
Key findings Security issues can lead to

serious consequences
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
More than half of organizations found unauthorized
process execution in their environments.
Finding 3:
Finding 4:
Security strategies Many high-risk security issues—from unauthorized process execution (45%) to
present concerns
exposure of sensitive data (43%) to ransomware (41%)—concern respondents,
Finding 5:
Responsibility for reflecting the importance of protecting against a range of threats that can
compromise the integrity, confidentiality, and availability of data and systems.
Finding 6:
DevSecOps practices Unauthorized process execution poses a significant risk, allowing malicious
are common
actors to infiltrate systems, disrupt operations, and access sensitive information.
Finding 7:
Kubernetes brings Exposure of sensitive data raises concerns about regulatory compliance and
financial and reputational damage resulting from data breaches. And ransomware
Finding 8:
attacks can cause significant disruptions and financial losses for organizations.
on high-risk issues
These concerns are justified. For every high-risk security issue identified in our
Finding 9:
Security issues can lead survey, more respondents actually experienced the issue than worried about it.
For example, the top worry was unauthorized process execution, cited by 45%
Finding 10:
Risk management is key of respondents. However, 52% of respondents reported that their organization
actually experienced some type of unauthorized process during the last 12
Finding 11:
Software supply chain months alone. This discrepancy is even greater for unauthorized access to
internal cloud resources, denial of service attacks, compromised credentials, and
Finding 12:
Tools support software unauthorized lateral movement. 11-15% more organizations experienced than
worried about these high-risk issues.
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
16
Executive summary
About this report Which of the following Which of the following high-risk issues has your
high-risk issues worry company experienced in the past 12 months?
Key findings
you the most? (Among those who cite each worry.)
Finding 1:
business outcomes Malware execution, resource hijacking, crypto mining,
or other unauthorized process execution
Finding 2:
Security breaches 45% 52%
affect everyone
Finding 3: Exposure of sensitive data like personally identifiable information (PII)

43% 44%
Finding 4:
Security strategies
Ransomware
present concerns 41% 47%
Finding 5:
Responsibility for Unauthorized access to internal cloud resources
security is decentralized 35% 46%
Finding 6:
DevSecOps practices
Data deletion
are common
34% 37%
Finding 7:
Kubernetes brings
new security challenges Denial of service attack
33% 48%
Finding 8:
on high-risk issues Compromised credentials
Finding 9: 32% 44%
Unauthorized lateral movement
Finding 10: 32% 46%
Finding 11: Q15. Which of the following high-risk issues worry you the most? Base size: Total = 600
Software supply chain Q16. Which of the following high-risk issues has your company experienced in the past 12 months? Base size: Among those who cite
each worry = 189 - 270
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
17
About this report
Key findings Risk management is critical

Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
44% of respondents say software vulnerabilities are
the highest-risk aspect of software supply chains, an
Finding 3:
Finding 4:
increase of 9% from last year.
Security strategies
present concerns
Finding 5:
Securing software supply chains can be challenging due to their inherent
Responsibility for complexity and global reach. Supply chains often integrate software from a
variety of commercial vendors and open source projects, so it is crucial to ensure
Finding 6:
DevSecOps practices the integrity, authenticity, and security of each component.
are common
Finding 7: We asked respondents to identify the highest-risk aspects of software supply

Kubernetes brings
new security challenges chains. Software vulnerabilities (44%), open source software (33%), and
Finding 8: untrusted content (33%) ranked at the top across organizations. This makes
on high-risk issues sense, as each of these aspects can lead to serious consequences. Software
Finding 9:
vulnerabilities can lead to security incidents like data breaches and malware
execution. Open source software must be properly reviewed, scanned, and
Finding 10:
maintained to reduce the risk of incorporating new vulnerabilities. And untrusted
Risk management is key content can compromise system integrity and allow unauthorized access.
Finding 11: Notably, concerns about software vulnerabilities increased 9% from 35% in
security worries are real 2023 to 44% this year. And respondents in the technology industry ranked
Finding 12: vulnerabilities even higher, at 51%. We also found that respondents from small
supply chain security companies ranked insider threats higher than average, at 36% versus 31% overall.
Finding 13:
Organizations use Organizations can address these challenges with a comprehensive approach
Kubernetes security to software supply chain security that includes rigorous supplier evaluations,

security-focused coding practices, and continuous monitoring of software
dependencies. By prioritizing security at every stage of the software supply chain,
About our respondents you can minimize risks, protect against cyber threats, and ensure the integrity of
Get started with Red Hat software delivered to your users and stakeholders.
Advanced Cluster
18
Executive summary
About this report What aspects of the software supply chain security represent the highest risk?
Key findings
Finding 1:
Software vulnerabilities 44%
business outcomes
Finding 2: Use of open source software 33%

Security breaches
affect everyone
Finding 3: Untrusted content 33%

Insider threat
Finding 4: (accidental or malicious) 31%
Security strategies
present concerns
Third-party tools used
Finding 5: as attack vector 29%
Responsibility for
Source code
Finding 6: Integrated development environment (IDE) 25%
DevSecOps practices
are common
Finding 7:
Deployments 25%
Kubernetes brings
Finding 8:
DevOps teams 24%
on high-risk issues
Images and dependencies 23%
Finding 9:
Repositories 20%
Finding 10:
for software supply chains Q30. What aspects of the software supply chain security represent the highest risk? Base size: Total = 600
Finding 11:
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
19
About this report
Key findings Software supply chain

security worries are justified
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
57% of organizations detected vulnerable application
components in their software supply chain in the last
Finding 3:
Finding 4:
12 months.
Security strategies
present concerns
Finding 5:
Software supply chain security helps ensure integrity, confidentiality, and
Responsibility for availability throughout application life cycles. With robust security measures,
organizations can mitigate the risk of supply chain attacks, unauthorized access,
Finding 6:
DevSecOps practices and data breaches to safeguard digital assets and maintain customer and
are common
stakeholder trust.
Finding 7:
Kubernetes brings
new security challenges However, respondents expressed many concerns about the security of their
Finding 8: organizations’ software supply chains—including vulnerable application
on high-risk issues components (37%), insufficient access controls (32%), and insecure container
Finding 9:
images (32%). As with overall security issues (Finding 9), these concerns are
warranted. Almost every issue identified in the survey was experienced by more
Finding 10:
than half of all respondent organizations, with vulnerable application components,
Risk management is key lack of automation, and lack of software bills of materials (SBOMs) impacting
nearly 60% of companies.
Finding 11:
security worries are real Additionally, at least 1.5 times more organizations experienced than were
Finding 12: concerned about each issue. In fact, the 4 issues of lowest concern—lack of
supply chain security SBOMs, continuous integration/continuous deployment (CI/CD) pipeline
Finding 13: weaknesses, version control weaknesses, and insecure Infrastructure-as-Code
Organizations use
open source tools for (IaC) templates—were experienced by more than twice as many organizations as
Kubernetes security
were concerned about the issue.

Advanced Cluster
20
Executive summary
About this report Which of the following software Which of the following software supply
supply chain security issues chain security issues has your company
Key findings
is your company most experienced in the past 12 months?
Finding 1: concerned about? (Among those who cite each concern.)
business outcomes
Finding 2: Vulnerable application components

Security breaches 37% 57%
affect everyone
Finding 3: Insufficient access controls

in all life cycle phases 32% 52%
Finding 4:
Security strategies Insecure container images
present concerns 32% 49%
Finding 5:
Responsibility for Lack of auditability
31% 54%
Finding 6:
DevSecOps practices
are common Lack of automation
30% 59%
Finding 7:
Kubernetes brings
new security challenges Inconsistent policy enforcement
Finding 8:
27% 54%
on high-risk issues
Lack of software bills of materials (SBOMs) or provenance
Finding 9: 26% 58%
Continuous integration/continuous deployment (CI/CD) pipeline weaknesses
Finding 10:
25% 56%
Finding 11:
Version control weaknesses
Software supply chain 22% 51%
Finding 12: Insecure Infrastructure-as-Code (IaC) templates

Tools support software 18% 49%
Finding 13:
Organizations use Q32. Which of the following software supply chain security issues is your company most concerned about? Base size: Total = 600
open source tools for Q33. Which of the following software supply chain security issues has your company experienced in the past 12 months? Base size: Among those
Kubernetes security who cite each concern = 107 - 223


Advanced Cluster
21
About this report
Key findings Tools and processes support

software supply chain security
Finding 1:
business outcomes
Finding 2:
Security breaches
affect everyone
Nearly half of respondents view security attestation
as a key software supply chain security control.
Finding 3:
Finding 4:
Security strategies Organizations mitigate vulnerabilities and protect critical software supply chains
present concerns
with a variety of advanced security tools and technologies—including security
Finding 5:
Responsibility for attestation (47%), vulnerability scanning (45%), and access and authentication
mechanisms (41%). By verifying each software component’s origin, authenticity,
Finding 6:
DevSecOps practices and compliance with security standards, security attestation helps you ensure
are common
the integrity and trustworthiness of applications. Vulnerability scanning lets you
Finding 7:
Kubernetes brings
Finding 8:
Organizations are working Which of the following are most important when it comes to software supply chain security?
on high-risk issues
Finding 9:
Security issues can lead Security attestation
Image signing, deployment signing,
pipeline attestation, etc.
47%
Finding 10:
Vulnerability scanning 45%
Finding 11:
Access and authentication 41%
Finding 12:
Configuration management 35%
Finding 13:
Continuous integration/
Organizations use continuous deployment (CI/CD) 31%
open source tools for integration & security automation
Kubernetes security
Enhance your container Registry governance 28%

About our respondents Integrated development

environment (IDE) scanning 19%
Advanced Cluster
Q31. Which of the following are most important when it comes to software supply chain security? (Please select up to 3 most important aspects.)
Base size: Total = 600
22
Executive summary proactively address security risks—before they can be exploited—by identifying
About this report and remediating potential weaknesses and vulnerabilities in your software supply
Key findings chain. With access and authentication mechanisms like multifactor authentication
Finding 1: (MFA) and RBAC, you can reduce the risk of unauthorized access to sensitive
business outcomes software components and data.
Finding 2:
Security breaches
affect everyone
Finding 3:
in all life cycle phases Finding 13:
Organizations use open source

Finding 4:
Security strategies
present concerns
Finding 5:
Responsibility for
tools for Kubernetes security
Finding 6:
DevSecOps practices
are common Open Policy Agent, Kube-bench, and KubeLinter are
Finding 7: popular open source Kubernetes security tools.
Kubernetes brings
Finding 8:
A comprehensive ecosystem of open source tools—with advanced technologies
on high-risk issues developed by dedicated contributors—provides a range of security solutions for
Finding 9: containers and Kubernetes environments. Respondent organizations rely on many
to serious consequences of these open source security tools to protect their cloud-native applications:
Finding 10:
Risk management is key ► 35% simplify policy management with Open Policy Agent, a toolset and
framework for unified policies across cloud-native stacks.
Finding 11:
security worries are real ► 31% check Kubernetes deployment security against the CIS Kubernetes
Finding 12:
Benchmark using Kube-bench.
supply chain security ► 31% ensure applications adhere to best practices with KubeLinter, a static
Finding 13:
analysis tool for Kubernetes YAML files and Helm charts.
Organizations use
Kubernetes security ► 28% identify security issues in Kubernetes clusters and cloud-native
Enhance your container environments using Kube-hunter, a security testing and scanning tool.
About our respondents Overall, organizations use an average of 2.1 security-related open source tools
Get started with Red Hat within their Kubernetes environments.
Advanced Cluster
23
Executive summary
About this report Which of the following open source tools do you use for Kubernetes security?
Key findings
Finding 1:
Open Policy Agent (OPA) 35%
business outcomes
Finding 2: Kube-bench 31%

Security breaches
affect everyone
Finding 3: KubeLinter 31%

Finding 4: Kube-hunter 28%

Security strategies
present concerns
Finding 5:
Falco 20%
Responsibility for
Finding 6:
Kyverno 15%
DevSecOps practices
are common
Finding 7:
StackRox 13%
Kubernetes brings
Finding 8:
Clair 12%
on high-risk issues
Terrascan 12%
Finding 9:
Checkov 10%
Finding 10:
for software supply chains Q20. Which of the following open source tools do you use for Kubernetes security? Base size: Total = 600
Finding 11:
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
24
Executive summary
About this report
Key findings
Finding 1:
business outcomes
Containers and Kubernetes can speed application development and deployment
Finding 2:
Security breaches across hybrid cloud environments. Integrating security-focused processes and
affect everyone
technologies throughout their life cycles helps you protect applications without
Finding 3:
slowing development or increasing operational complexity. Safeguard sensitive
in all life cycle phases data, intellectual property, and customer information. Meet corporate, industry,
Finding 4:
and government regulatory requirements. Ensure business continuity. Maintain
Security strategies
present concerns customer trust and confidence. Reduce the costs of late remediation efforts.
Finding 5:
Responsibility for Here are 3 tips for increasing the security of your cloud-native environments.
Finding 6:
1
DevSecOps practices
are common Use Kubernetes-native security controls
Finding 7:
Kubernetes brings
Kubernetes-native security uses declarative data and native controls
new security challenges to protect your container workloads.
Finding 8:
Organizations are working ► Analyze the declarative data available in Kubernetes to gain
on high-risk issues
risk-based insights into configuration management, compliance,
Finding 9:
Security issues can lead segmentation, and vulnerabilities.
Finding 10: ► Simplify and speed analysis and troubleshooting using the same
for software supply chains infrastructure and controls for development and security.
Finding 11:
Software supply chain ► Reduce operational conflict through security automation and scaling.
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
25
2
Executive summary
Extend security across application life cycles
About this report
A security focus during all application life cycle phases can help you
Key findings
identify and mitigate potential vulnerabilities early, reducing the risk of
Finding 1:
Security issues impact data breaches, cyberattacks, and compromised user trust.
business outcomes
Finding 2: ► Incorporate DevSecOps best practices and internal controls into

Security breaches
affect everyone configuration checks within your security platform.
Finding 3:
Security incidents occur ► Automate Kubernetes configuration security assessments using your
container and Kubernetes platform.
Finding 4:
Security strategies
present concerns
3 Adopt tools that support DevSecOps practices

Finding 5:
Responsibility for
The right security technologies and solutions can increase collaboration
Finding 6:
DevSecOps practices between your development, security, and operations teams.
are common
Finding 7:
► Use your container and Kubernetes platform to perform risk
Kubernetes brings
new security challenges assessments and provide security controls for your environments.
Finding 8:
► Adopt tools that can identify and explain vulnerabilities in active
on high-risk issues deployments to understand and apply security-focused practices.
Finding 9:
Finding 10:
Finding 11:
Finding 12:
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
26
Executive summary
About this report
Key findings
This section provides more details about our respondents and their organizations.
Finding 1:
business outcomes
Kubernetes adoption
Finding 2:
Security breaches Most respondents use Kubernetes in production, with cloud-based Kubernetes
affect everyone
solutions as the most popular platforms.
Finding 3:
Finding 4:
Security strategies
What Kubernetes platform do you use to orchestrate your containers?
present concerns
Finding 5:
Responsibility for Amazon Elastic
Kubernetes Service (EKS) 53%
Finding 6:
DevSecOps practices
are common IBM Cloud Kubernetes Service 46%
Finding 7:
Kubernetes brings
Google Kubernetes Engine (GKE) 45%
Finding 8: Any Red Hat
on high-risk issues
Azure Red Hat OpenShift, Red Hat OpenShift
(self-managed), Red Hat OpenShift Service 39%
on AWS, Red Hat OpenShift Dedicated
Finding 9:
Azure Kubernetes Service (AKS) 32%
Finding 10:
Kubernetes (self-managed) 23%
Finding 11:
Mirantis Container Cloud
Formerly Docker Enterprise 8%
Finding 12:
Tools support software VMware Tanzu 7%
Finding 13:
Organizations use Rancher/SUSE 6%
Kubernetes security

D2iQ Kubernetes Platform 5%
About our respondents Q3. What Kubernetes platform do you use to orchestrate your containers? Base size: Those using Kubernetes = 390

Advanced Cluster
27
Executive summary Common pain points
About this report
Lack of full life cycle security and slow deployments are the 2 most common
Key findings
complaints about current Kubernetes security solutions.
Finding 1:
business outcomes
Finding 2:
Security breaches Which of the following are the biggest pain points you
affect everyone experience with your current Kubernetes security solution?
Finding 3:
in all life cycle phases It doesn’t protect the full
application life cycle 33%
Finding 4:
Security strategies
present concerns
It’s slowing down development 33%
Finding 5:
Responsibility for It doesn’t work in all of
security is decentralized our environments where 31%
Finding 6:
Kubernetes is used
DevSecOps practices
We lack internal talent to
are common
use it to its full potential 30%
Finding 7:
Kubernetes brings Too difficult to use, can’t be
operationalized in our systems 26%
Finding 8:
Organizations are working There are too many false alerts
on high-risk issues
Alert fatigue 26%
Finding 9:
Security issues can lead We have too many
security products 25%
Finding 10:
Risk management is key It doesn’t do what it promises
for software supply chains Vaporware 14%
Finding 11:
We don’t have a solution 10%
Finding 12:
Tools support software Q26. Which of the following are the biggest pain points you experience with your current Kubernetes security solution? (Please select up to 3 top
supply chain security pain points.) Base size: Total = 600
Finding 13:
Organizations use
Kubernetes security


Advanced Cluster
28
Executive summary Supply chain security tools
About this report
Vulnerability scanners are the most used security tools, followed by CI/CD, static
Key findings
security analysis, and SBOM tools. Organizations use an average of 3 security
Finding 1:
Security issues impact tools for their software supply chains.
business outcomes
Finding 2:
Security breaches
affect everyone
Which of the following types of security tools do you use for your software supply chain?
Finding 3:
Vulnerability scanners 44%
Finding 4:
Security strategies
present concerns CI/CD tools
Tekton, Circle CI 35%
Finding 5:
Responsibility for
Static security analysis 34%
Finding 6:
DevSecOps practices
are common SBOM tools
Syft, ScanOSS 32%
Finding 7:
Kubernetes brings
new security challenges GitOps tools
ArgoCD, Flux 28%
Finding 8:
Admission controllers
on high-risk issues
OPA, Kyverno 28%
Finding 9:
to serious consequences Runtime enforcement 28%
Finding 10:
for software supply chains IDE dependency analysis 25%
Finding 11:
Software supply chain Signing/attestation tools
Tekton chains, Sigstore/cosign 23%
Finding 12:
supply chain security Registry/binary repository 21%
Finding 13:
Organizations use Q22. Which of the following types of security tools do you use for your software supply chain? Base size: Total = 600
Kubernetes security


Advanced Cluster
29
Executive summary Other cloud-native technologies
About this report
Kubernetes-native CI/CD tools are among the top cloud-native technologies
Key findings
in use.
Finding 1:
business outcomes
Finding 2:
Security breaches What other cloud-native technologies are you considering or using currently?
affect everyone
Finding 3:
1%
in all life cycle phases Cloud-native storage 6% 18% 25% 50%
Finding 4:
2%
Security strategies
present concerns Code repository 7% 19% 26% 47%
Finding 5:
Responsibility for
Kubernetes-native
3% 7% 25% 21% 44%
CI/CD tools
Finding 6:
DevSecOps practices
are common Binary repository/
4% 7% 22% 25% 41%
container registry
Finding 7:
Kubernetes brings 1%
new security challenges Function-as-a-Service 8% 26% 24% 41%
Finding 8:
on high-risk issues Kata containers 4% 12% 24% 26% 34%
Finding 9:
to serious consequences Operators/
4% 12% 28% 24% 34%
Helm charts
Finding 10:
for software supply chains Service mesh 3% 9% 33% 26% 30%
Finding 11:
security worries are real Open Policy Agent
4% 12% 31% 24% 29%
or Kyverno
Finding 12:
Finding 13: Don’t know No interest Investigating Piloting Using in

Organizations use in using production
Kubernetes security
Q6. What other cloud-native technologies are you considering or using currently? Base size: Total = 600
Percentages may not add to 100% due to rounding.

Advanced Cluster
30
Get started with Red Hat Advanced
Cluster Security for Kubernetes
Red Hat® Advanced Cluster Security for Kubernetes is a Kubernetes-native security platform
that helps you build, deploy, and run cloud-native applications with more security. With Red Hat
Advanced Cluster Security, you can protect containerized Kubernetes workloads in major public cloud
environments and hybrid cloud platforms—including Red Hat OpenShift, Amazon Elastic Kubernetes
Service (EKS), Microsoft Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE).
Minimize operational risk

Monitor, collect, and evaluate system-level events—like process execution, network connections
and flows, and privilege escalation—to detect malicious activities from active malware and
unauthorized access to intrusions and lateral movement.
Increase DevSecOps productivity

Integrate Red Hat Advanced Cluster Security with your CI/CD pipelines and image registries to
quickly remediate vulnerable and misconfigured images—directly in developer environments—with
real-time feedback and alerts.
Protect Kubernetes infrastructure

Ensure your Kubernetes infrastructure remains hardened and protected with continuous scans
against CIS benchmarks and other security best practices.
Schedule a personalized demo of Red Hat Advanced Cluster

Security for Kubernetes tailored for your business and needs.
Copyright © 2024 Red Hat, Inc. Red Hat, the Red Hat logo, and OpenShift are trademarks
or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other
countries. All other trademarks are the property of their respective owners.

Kubernetes-Security Best Pratiques

Uploaded by

Copyright:

Available Formats

Kubernetes-Security Best Pratiques

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kubernetes-Security Best Pratiques

Uploaded by

Copyright:

Available Formats

The state

A Red Hat® report

About this report

1 Red Hat report. “2024 global tech trends,” February 2024. 2

About this report

Finding 5: ► IT professionals focused on applications, platforms, infrastructure, operations,

Finding 11: total reponses DevOps Engineering Security

About our respondents

Get started with Red Hat

About this report

Get started with Red Hat

Key findings Security issues continue to

Enhance your container

Get started with Red Hat

Key findings Security breaches

Enhance your container

Key findings Security incidents occur in all

About our respondents

Get started with Red Hat

Get started with Red Hat

Key findings Responsibility for security

Enhance your container

Get started with Red Hat

DevSecOps practices are

common across organizations

42% 48% 10%

bring new security challenges

Finding 13: Mitigating vulnerabilities in complex, dynamic Kubernetes and container

About our respondents

Get started with Red Hat

Enhance your container

About our respondents

Get started with Red Hat

Key findings Organizations are actively

Enhance your container

About our respondents

Get started with Red Hat

Finding 6: Unpatched flaws

About our respondents Exposed network ports

Key findings Security issues can lead to

Enhance your container

About our respondents

Get started with Red Hat

Finding 3: Exposure of sensitive data like personally identifiable information (PII)

Enhance your container

About our respondents

Get started with Red Hat

Key findings Risk management is critical

Finding 7: We asked respondents to identify the highest-risk aspects of software supply

Enhance your container

Finding 2: Use of open source software 33%

Finding 3: Untrusted content 33%

Enhance your container

About our respondents

Get started with Red Hat

Key findings Software supply chain

About our respondents

Get started with Red Hat

Finding 2: Vulnerable application components