Author: Gabriele Bartolini, VP, Cloud Native, EDB
Bio: Gabriele Bartolini, a PostgreSQL and Kubernetes enthusiast, is VP, Cloud Native at EDB. He is a co-founder of PostgreSQL Europe, a founding member of Barman, and was previous Head of Global Support and co-founder at 2ndQuadrant—where he consistently contributed to the growth of the organization and its members through nurturing a lean and DevOps culture.

In today’s fast-paced information technology landscape, security remains a top concern for organizations deploying complex software systems on Kubernetes. It is crucial for IT leaders to adopt proactive security measures that can detect and address vulnerabilities early in the development process as cyber threats continue to grow. Inspired by the principles of Dr. Edwards William Deming, shift-left security has emerged as a guiding paradigm to achieve this goal. By integrating security considerations from the outset of development, organizations can significantly reduce the risk of security breaches and improve the overall quality of their software products.

According to Check Point research, global cyberattacks increased by 38% in 2022, compared to 2021 and the worldwide number of malware attacks reached 5.5 billion (Statista). Additionally, the global average cost of a data breach has surpassed $4.45 million (IBM), underscoring the financial consequences of inadequate security practices. More recently, the 2023 State of Kubernetes Report by Red Hat reveals that 2 out of 3 respondents are delaying or slowing their Cloud Native adoption due to concerns on security, and 1 out of 3 has experienced customer or revenue loss following security incidents. In light of these escalating numbers, organizations must embrace the shift-left approach to security to effectively safeguard their software distributions.

What is Shift-Left Security?

The concept of “shift-left” security emphasizes the importance of integrating security early in the development process, and throughout the entire development lifecycle. While it may be known by various names like DevOps, DevSecOps, Lean, Agile, or Digital Transformation, what truly matters is the cultural foundation that fosters the generation of ideas and actions.

Kubernetes, designed with security in mind, utilizes the “4C” security model for Cloud Native computing with containers, organized in four layers: Cloud, Cluster, Container, and Code. While the Cloud and Cluster layers are critical in infrastructure security, there is a focus on the Code and Container layers, where software developers must operate to build quality-in and shift security leftward in the production pipeline.

Security Considerations at the Code Layer

At the code layer, the concept of “you build it, you own it” from DevOps highlights the accountability of developers for the entire process, from code commits to customer value delivery. Emphasizing quality and security involves practices such as version control, automated deployment, continuous integration, test automation, and more. CI/CD pipelines using tools like Github Actions can help catch defects and vulnerabilities early on, while fostering collaboration and improvement within teams.

Security Considerations at the Container Layer

Once the code has been checked, it needs to be “packaged” as a container image to run in Kubernetes. The container layer requires careful consideration to design containers that are built to run an application that can exclusively access the information and the resources that are needed to achieve its goals. Scanning container images for known vulnerabilities and following immutable application container paradigms are crucial aspects to enhance security.

Container images are indeed the artifacts that we distribute and they should come with a software bill of materials (SBOM), an inventory of all the components such as libraries that have been included in the image. Scanning images and producing SBOM are just a few examples of steps that can enhance the security of an automated software development life cycle pipeline, more and more assimilated to real supply chains.

Leveraging Kubernetes for end-to-end (E2) testing in distributed systems brings numerous benefits. By utilizing ad-hoc Kubernetes clusters and automated testing pipelines, developers can thoroughly test patches before merging them into the main branch. Throughout this journey, Postgres has been successfully brought to Kubernetes, drawing on DevOps principles and harnessing the power of containers and Kubernetes for enhanced product quality and security. For example, the CloudNativePG operator, originally created by EDB and now open source, has extensive evidence of this approach and it enables the integration of Postgres databases in GitOps pipelines.

In conclusion, the shift-left security approach provides a robust methodology for increasing the security and quality of software development, particularly in the context of Postgres on Kubernetes. By integrating security considerations early in the process and fostering collaboration among teams, organizations can effectively address vulnerabilities and improve their software products.

Security Considerations for Pipelines

And finally, leveraging modern CI/CD pipelines and Kubernetes for automated testing further enhances the development process, enabling comprehensive assessments of patches and promoting continuous improvement. As organizations continue their journey towards shifting security left, they can confidently embrace the benefits of DevOps principles, containerization, and Kubernetes to deliver secure and high-quality software products.

To learn more about Kubernetes and the cloud native ecosystem, join us at KubeCon + CloudNativeCon Europe in Paris from March 19-22.