How to secure your Kubernetes posture in a cost optimized manner, using open-source solutions

Review date and time - 6 February 2025, 6 PM - 7 PM
Presenter - Rohan Birtia
Reviewers - Chandrapal Badshah, Santanu Sinha

Summary of Rohan Birtia’s presentation on securing Kubernetes with open source tools

Introduction

• Rohan discusses how to secure Kubernetes security posture without spending millions on enterprise security solutions.
• He introduces Kubernetes Security Posture Management (KSPM), typically purchased by organizations to manage and improve security.
• KSPM tools provide a single pane of glass for monitoring clusters like GKE, EKS, and others.

Cost & alternatives

• Enterprise Cloud Security Posture Management (CSPM) or CNAPP tools cost between $100K to $1M.
• Many companies buy KSPM tools mainly for compliance reporting, but open-source tools can achieve the same or more.

Core functions of KSPM & Open Source alternatives

1. Compliance & benchmarking

• Enterprise tools: used for compliance reports (CIS Benchmark, HIPAA, PCI DSS).
• Open-source alternatives:
  • kube-bench for cluster misconfigurations.
  • kube-hunter for compliance reporting.

2. Image scanning

• Enterprise tools: Require agents inside VMs, costing ~$20K.
• Open-source alternatives:
  • Grype found more vulnerabilities than enterprise tools.
  • Harbor (open-source image registry) has built-in scanners like Anchore, Clair, Aqua.

3. Admission control

• Prevents misconfigured workloads from being deployed.
• Open-source tools:
  • Kyverno (YAML-based policy engine).
  • OPA (Open Policy Agent) — widely used by 99% of commercial KSPM tools.

4. Runtime security & threat detection

• Enterprise tools: Require expensive eBPF agents ($50K per cluster).
• Open-source alternatives:
  • sbom-operator for detecting vulnerable dependencies.
  • Falco (by Sysdig) and Dragon detect suspicious runtime behavior.
  • StackRox (acquired by Red Hat) offers an open-source security platform.

5. Network security

• Enterprise tools lack proper network visibility.
• Kubernetes default allows all Pods to communicate, which is a security risk.
• Open-source alternatives:
  • StackRox helps analyze network policies.

6. Whitelisting & pipeline security

• Enterprise tools may block developers due to vulnerabilities without available fixes.
• Solution: Maintain a whitelist.json file to automate vulnerability handling in CI/CD.

Limitations of Open Source KSPM

• Enterprise KSPM tools provide better external asset monitoring.
• SQL-like query support for monitoring publicly exposed endpoints is missing in open-source solutions.

Conclusion

• Series A to D startups benefit most from open-source KSPM as they have limited security budgets (~$1M max).
• Open-source solutions can replace most enterprise KSPM functionalities, except for asset monitoring and query-based security insights.

This approach can save organizations millions of dollars while maintaining strong security compliance and vulnerability management.

Chandrapal’s feedback - summary points

1. Slide improvements

• Follow best practices from past presentations made at Rootconf for better slides.
• Some slides have excessive text (e.g., tools list) and should be more visual.
• Liked the “before Open Source vs. after Open Source” images.

2. Flow & structure

• The presentation jumps between topics (container scanning, runtime security, CI/CD).
• Instead, maintain a logical flow:
  1. Write application code
  2. Wrap in a container
  3. Push to registry
  4. Use relevant tools at each step

3. Build vs. buy & decision criteria

• Clarify the audience: Who should follow the approach that Rohan is suggesting?
• Address when open-source tools are a good fit vs. when commercial solutions make sense.
• Commercial tools consolidate everything into a single dashboard, while open source tools require multiple sources.
• A slide comparing “When to use open source vs. commercial solutions” will help.

4. Clarifying the talk’s focus

• Some parts create confusion: Are we advocating for open-source tools under user control or any free/cheaper solution?
• Ensure consistency in messaging, e.g., Google Cloud Kubernetes Security Posture is free but not open source.

5. StackRox recommendation

• If StackRox is hard to set up, why recommend it?
• Presenter should only suggest tools that are practical to implement.

6. Key takeaway for audiences

• The audience should leave knowing exactly what tool(s) to try first.
• Instead of presenting multiple options without a clear recommendation, highlight preferred choice(s).

7. Target audience & positioning

• Series A to Series D startups, some already spending millions on KSPM; others are exploring options.
• Adjust framing: instead of focusing on cost-cutting from an expensive setup, emphasize early stage cost challenges.

8. Final suggestions

• Add blog links where comparisons are made (e.g., Trivy vs. other tools).
• Include links to code snippets for further reference.

Santanu Sinha’s feedback - summary points

1. Title & content density

• The title is too long; consider shortening it or adjusting the font to improve readability.
• Reduce wordiness in slides to make content more digestible.

2. Assumptions & jargon

• The presentation assumes the audience already understands KSPM, which may not be true.
• Instead, use a workflow diagram to illustrate the lifecycle of an application on Kubernetes and where KSPM fits.
• Keep referencing this index slide after each section to reinforce understanding.

3. Flow & clarity

• The presentation lists many tools without explaining how they integrate.
• From an auditor’s perspective, it’s unclear how to prove compliance with these tools.
• Consider adding a unifying framework or a slide identifying the gap if no such tool exists.

4. Avoid opening websites during the (actual) presentation

• Live website demos can cause issues:
  • Internet connectivity at conferences is unreliable.
  • Switching between multiple windows disrupts presentation flow.
• Instead, add a brief description of each tool on the slide itself.

5. Open source justification

• Open source should not be framed as a “cheap” alternative; it is often higher quality than proprietary solutions, especially in security.
• Emphasize quality benefits over cost savings.

6. Target audience assumptions

• The claim that Series A-D startups need open source while larger companies can afford commercial solutions is not always true.
• Even large companies migrate to open source for flexibility and cost-effectiveness.
• Avoid limiting the audience by company size; focus on the value of open source for any company.

7. Key takeaways

• Ensure a clear flow so the audience understands how to piece together different tools.
• Avoid overwhelming the audience with a disjointed list of tools - structure the content logically.
• Reduce wordiness, avoid website demos, and highlight quality over cost when discussing open-source solutions.

Srujan’s feedback - summary points

Srujan participated in the review as an audience member. He has created a mind map of the talk from audience standpoint. 👇

Conference presenters can refer to this mind map when developing the first few iterations of their conference/meet-up talks.

1. Target audience & clarity of purpose

• The talk lacks clarity on its primary objective:
  • Is it introducing KSPM?
  • Is it debating open-source vs. paid tools?
  • Is it arguing that open-source is cheaper?
• Clearly define the core focus of the talk.

2. Cost considerations

• If the argument is about cost-effectiveness, then provide:
  • Estimated server costs for running open source tools.
  • Maintenance costs (e.g., engineering hours required).
  • Setup effort needed to install and manage the tools.

3. Comparison of tools

• Many in the audience may already be familiar with KSPM tools.
• Instead of just listing tools, the talk should:
  • Reinforce existing beliefs or challenge misconceptions.
  • Explain why a particular tool is preferred over another.

4. Audience relevance

• The talk assumes attendees already use or understand KSPM.
• However, some audiences might be new to KSPM, and need to learn bout KSPM before adopting it. In this case, a brief introduction to KSPM beyond compliance will be helpful.

5. Key takeaways

• Ensure the talk’s objective is clear - is it about introduction, comparison, or cost?
• If discussing cost, provide concrete numbers on setup, maintenance, and operational expenses.
• When comparing tools, explain why a specific tool is preferable rather than just listing them.
• Add a KSPM introduction for those unfamiliar with it, beyond just compliance aspects.