The need to protect Kubernetes in cloud infrastructure.

An image of , Cyber Security, The need to protect Kubernetes in cloud infrastructure.

With the mass adoption of container technologies, none is more significant than Kubernetes, the de facto standard cluster and workload management system for public cloud and on-premises environments.

The long-running Flexera 2022 State of the Cloud survey tracking cloud adoption and usage found that almost three-quarters of enterprises are currently using or planning to use Kubernetes, with comparable adoption rates across on-premises and managed cloud Kubernetes services.

Kubernetes services from the public cloud providers continue to gain traction with customers, and their usage has now surpassed the leading on-premises tools. Enterprises are using or planning to use cloud provider-specific tools this year from Amazon Web Services followed closely by Azure Kubernetes Service (AKS), with Google Kubernetes Engine (GKE) gaining, as well. Kubernetes (the open source distribution) and Docker remain near the top of the list, but their usage continues to diminish, especially amongst larger enterprises in favor of the cloud provider services, although hybrid cloud and on-premises environments are often used.

Kubernetes cloud services leave data and security exposures

Kubernetes cloud services are popular since they mitigate, but do not eliminate, the difficulties of operating a Kubernetes environment. Early Kubernetes adopters often confuse its inherent high-availability features and programmatic configuration interfaces as a suitable substitute for traditional backup and disaster recovery (DR) capabilities. Their faulty reasoning conflates the ability to automatically restart and replace cluster nodes and automate cluster configuration and deployment with the ability to reliably restore containerized applications and their data. While these features are invaluable for the scale-out stateless web applications for which Kubernetes was designed, they do not cover the needs of stateful enterprise applications.

The strengths of Kubernetes — self-healing nodes, automated workload deployment and rollback, auto-scaling, and load balancing — reflect its initial design parameters for stateless web services. In contrast, its weaknesses — lack of inherent data backup and DR capabilities and a multi-layer operational model for security and configuration management — require supplementary tools to make Kubernetes a robust enterprise platform.

Why data protection for Kubernetes is needed

Data protection has not always been a concern for containers as early adopters were usually stateless web applications or lift-and-shift applications, with storage outside the container environment on systems that are already running backup software. However, Kubernetes applications using persistent storage are becoming the norm as enterprises deploy production workloads, not just for application development and testing.

There are several reasons why data protection — which includes backups and storage snapshots — should be integral to the production Kubernetes application environment. These reasons or use cases include:

• Human or programmatic error that can accidentally overwrite application or configuration files.

• Security breaches and ransomware that maliciously deletes or encrypts data.

• Disasters causing large-scale outages to a facility that make it impossible to reconstitute a Kubernetes application at another location without offsite copies of the image, configuration, and application files.

• Application and environment migrations that require the same access to archived application and configuration data as a DR recovery.

• Regulatory compliance often requires the periodic and immutable capture of application data. These data backups should support retention locks to make them immutable to support retention requirements.

Why a cloud-based data protection service

Having cloud-based data protection and disaster recovery service is critical since it aligns with the growing number of cloud-based managed Kubernetes services like Amazon Elastic Kubernetes Service (EKS), AKS, and GKE. As pointed out above, between 60 and 70 percent of enterprises use or plan to use one or more of the cloud container services, for the same reason that SaaS and other managed cloud services are increasingly popular.

Since Kubernetes does not include native data protection features, organizations migrating virtualized workloads or creating new, microservices-based stateful applications must incorporate data protection and security into their Kubernetes architecture. An effective data protection service should have several properties:

• Be infrastructure and service agnostic and able to work with both on-premises software or cloud-managed services.

• Support the latest Kubernetes distributions and the Kubernetes container storage interface (CSI).

• Expose APIs that enable task automation for continuous integration and continuous delivery or CI/CD and integrate with existing infrastructure management systems.

• Enable data migration across different Kubernetes cloud and on-premises environments.

• Be proactive in detecting and alerting of suspicious activity and potential data compromise.

Why a purpose-built cloud data protection service?

The data protection tools provided by the cloud services tools do not capture all of an application’s state or information from dependent resources like databases, and they do not work across on-premises and their competitors’ environments. The open source backup tools like Velero are not designed for multi-cloud operations and require a significant amount of manual configuration to accommodate multi-cloud clusters and data restorations. Although tools like Velero are an adequate solution for one cluster, once a Kubernetes environment spreads to multiple clusters, it is almost impossible to manage. Add in multiple cloud platforms and the complexity becomes untenable.

The existing Kubernetes services and management software and services treat data protection as a separate problem despite it being a necessary part of a cloud-native enterprise architecture. Further, enterprise Kubernetes applications may have data and code-as-infrastructure dependencies that are external to the Kubernetes environment. And because of the growing use of hybrid and multi-cloud environments, a purpose-built data protection product is needed that is cloud- and Kubernetes management platform-agnostic supports multi-cloud and multi-region data storage, supports CI/CD methodologies, and enables data migration across environments.

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...