Kubernetes security is a challenge even for large companies with in-house expertise, but smaller firms new to DevSecOps often must seek outside sources of knowledge about cloud-native security.

Free, open source Kubernetes security utilities that assess the configuration of container clusters and alert users to common vulnerabilities are available from Google Kubernetes Engine and Aqua, along with the emerging Open Policy Agent for advanced policy-as-code enforcement. But one DevOps pro said he prefers Tel Aviv-based startup Alcide's software -- a combination of UI-driven security advice and proprietary microservices firewall policy enforcement -- to jump-start his company's DevSecOps efforts.

"There was a lot of work, and developers don't really think about security as their first priority," said Einav Friedman, DevOps engineer at Reali Inc., headquartered in San Mateo, Calif. He said there "were a lot of open issues" when he first joined the online real estate firm two months ago. "When you have a product that's already [shipping], looking at an open source project is nice. But if I've got a solution already ready for me that can give me benefits right now, that's the first thing that I'll go for."

While it wasn't free like many open source tools, Alcide's tool also wasn't terribly expensive for a company with fewer than 200 employees, about 30 of whom are developers. Friedman estimated Alcide coverage for a five-node production Kubernetes cluster in Amazon Elastic Kubernetes Service (EKS) costs his firm about $1,000 a month so far.

Einav Friedman Einav Friedman

The Alcide Security Platform consists of a microservices firewall and anomaly detection software, along with cloud and Kubernetes discovery tools. But the standout part of the product for Friedman is its Advisor, which establishes a baseline cluster configuration profile, advises users on Kubernetes security best practices for its design, then detects deviations from that profile in future deployments to ensure security policies are followed.

"The same link that I have to a problem also comes with recommendations on how to solve it" in the Alcide Advisor interface, Friedman said. "In a few minutes, it identified critical issues regarding old AMI [Amazon Machine Images] that we were using, with a link to Kubernetes documentation and suggestions about how to use it."

The Alcide tool also identified places Kubernetes secrets weren't encrypted in production and prompted the firm to adopt AWS Secrets Manager to cover that gap. Alcide also applies blacklist policies by default against known malicious sites so Reali's application services can't access them.