The State of Kubernetes

Open Source Security

October 2022
 Table of Contents

Introduction and Key Findings............ 3 Level of Confidence in the Organization's K8S Security
Expertise .................................................................................... 17
Survey Report Findings................... 7 Is K8S an Independent Practice or a Subset of Broader
K8S Security – Usage of Open Source vs. Commercial.....8 Cloud Security? ........................................................................ 18
Open Source vs. Commercial - Preferences for K8S The Biggest Challenges Faced with K8S Security.............19
Security Solutions ..................................................................... 9 Scanning Frequency for K8S Vulnerabilities and
Number of Open Source K8S Security Tools in Use........ 10 Misconfigurations ................................................................... 20
Open Source is Used Widely for K8S Security .................. 11 Time to Fix Misconfigurations and Vulnerabilities.......... 21
Biggest Challenges Using Proprietary K8S Security Knowledge for Handling K8S Security – Developers vs.
Solutions .................................................................................... 12 Security Teams ........................................................................ 22
Top Challenges Using Open Source for K8S Security Top K8S Security Concerns ................................................... 23
Solutions .................................................................................... 13 Roles of K8S Security Tools in Regulation Compliance
Complexity of Integrating K8S Security Solutions into Requirements .......................................................................... 24
Existing Stack ............................................................................ 14
Demographics ............................25
Who Owns vs. Who Should Own K8S Security? ................ 15
Ownership of K8S Security in the Organization by Titles About ARMO ..............................27
...................................................................................................... 16

2
The State of Kubernetes Open Source Security
Introduction and
Key Findings
3
The State of Kubernetes Open Source Security
 Introduction & Methodology

Open source software — where the original source code is made available for public use and can be modified and
redistributed at will — is becoming increasingly popular across many different areas of business. Developers are reaping
the benefits of transparency and visibility into the code that they use, and the ability to contribute and be part of the
code’s evolution, too.
Kubernetes, also known as K8s, is an open-source system for automating the deployment, scaling and management of
containerized applications. It is now ubiquitous for cloud-native environments, becoming a de facto standard for
organizations who work on the cloud. According to CNCF research, 96% of organizations are either using or evaluating
Kubernetes, more than at any other time since they began collecting data in 2016. As an increasing number of organizations
move to Kubernetes, this also means that more and more attackers are making it their target.
With this survey, our goal is to understand how these two trends, increased open-source adoption in general and increased
use of Kubernetes in specific, work in tandem. How are companies using open source tools to secure their Kubernetes
environments?
Today’s DevOps teams are forced to make a difficult choice between two realities. They can attempt to integrate several
fragmented open-source tools together, which adds complexity to the monitoring and management of the Kubernetes
environment, and requires a significant effort in order to get a single view. Alternatively, they can commit to a proprietary
solution that they can’t adapt, and where they can’t access the code, influence the roadmap or contribute to its future. We
asked respondents how they manage the relationship between these two approaches, and what challenges are they facing
as a result.
Methodology
To get a deeper understanding of the relationship between open source and K8S security, we commissioned a survey of 200
Kubernetes users in companies that ranged in size from under 100 employees to more than 5,000. The survey was
completed by Global Surveyz, an independent survey company, and took place during July and August 2022.
The survey respondents are software developers and stakeholders from cybersecurity teams, DevOps and DevSecOps, 57%
from North America, 29% in Europe, and 14% in APAC. The respondents were recruited through a global B2B research panel,
and invited via email to complete the survey. The average amount of time spent on the survey was 6 minutes and 49
seconds. The answers to the majority of the non-numerical questions were randomized, in order to prevent order bias in
the answers.

4
The State of Kubernetes Open Source Security
 Key Findings

1 Over half of companies are using open source for Kubernetes security
55% of respondents are using open source for K8S security, either as a standalone solution or in a hybrid set up
alongside a proprietary solution. Open source is used widely across all areas of security, especially for service meshes
where thanks to CNCF-led projects, more oversight and support is available.

2 Almost a quarter are using 5 or more open source tools

Respondents highlighted the main challenge for proprietary solutions as a lack of oversight, visibility and control –
calling these tools a “black box.” Because of these limitations, many turn to open source solutions. However,
respondents are forced to onboard multiple open source tools, as no one solution provides it all. On average,
companies are using 3.6 open source tools for K8S security, while just 17% are using a single open source tool.

3 Integration challenges are a major inhibitor of open source technology

As well as the challenge of handling multiple tools, open source has additional challenges – especially with
integration. 62% say that open source is difficult to integrate with other DevOps tools, and 69% admit it’s difficult or
very difficult to integrate with their existing K8S stack. These problems are exacerbated by the fact that open source
by nature usually has limited support and guidance.

5
The State of Kubernetes Open Source Security
4 DevSecOps owns K8S security. But who are they, really?
The majority of respondents agree that K8S security belongs with DevSecOps, but this raises another question – where
does DevSecOps live within the org? When we break down responses by role, the majority of Security teams believe
they should hold responsibility, while DevOps believe DevSecOps is their own domain. As K8S security matures, the
market will need to gain greater clarity around ownership.

5 Scanning and fixing misconfigurations: Perception vs reality

Most organizations have good practices in place when it comes to scanning and fixing misconfigurations and
vulnerabilities in K8S. For example, 95% are scanning at least weekly. However, VP/C-level executives appear to have a
somewhat skewed perception, with 38% believing scans are completed every few hours, compared to under 20% when
more hands-on members of the team voiced their thoughts.

6 Top K8S security challenges center around integration

The top challenges for companies with K8S security can all be tied back to issues with integration. For example, 68% of
teams are facing too many alerts which is a common problem when you have more tools than you need, while 62%
directly call out fragmented solutions as a top issue in their K8S security. The third challenge is that security is
interfering with the business’ agility and time to market, suggesting it isn’t integrated at early stages, but rather
inhibiting progress later in the DevOps lifecycle.

6
The State of Kubernetes Open Source Security
Survey Report
Findings
7
The State of Kubernetes Open Source Security
 K8S Security – Usage of Open Source vs. Commercial

Over half (55%) of companies are using open Using Open Source
source for their Kubernetes security, either 55%
alone or to complement their proprietary Only Open
solution. When looking at regional Both Open Source
breakdowns, Europe is adopting open source Source and 21%
Commercial
as a standalone solution in greater numbers 34%
than APAC and North America.
It's clear that companies are attempting to
have it all, recognizing that they may need
commercial solutions for the benefits they All Responses
offer, but they don’t want to lose the visibility,
transparency and influence they gain by
utilizing open source technology.
Using
As there is no complete end to end open Commercial Only
80% Commercial
source Kubernetes security solution available, 46%
companies are forced to turn to proprietary
solutions for official support, to fill the gaps,
and to ensure ease of adoption.
15% 12%
24%
32%
39% 40%
North Europe APAC
America

46% 48%
44%

Figure 1: Kubernetes Security – Usage of Open Source vs. Commercial

8
The State of Kubernetes Open Source Security
Open Source vs. Commercial - Preferences for K8S Security Solutions

Given the option to choose, 49% would prefer

to use only commercial solutions for K8S
security, 14% would prefer to use only open
Commercial Only 49%
source and 37% prefer a mixture of the two.
This means that 51% would prefer to use at
least some open source.

Open Source Only 14%

Prefer to use
Open Source
51%

Open Source + Commercial 37%

Figure 2: Preferences Towards Open Source vs. Commercial Solutions for

Kubernetes Security

9
The State of Kubernetes Open Source Security
 Number of Open Source K8S Security Tools in Use

Companies have an average of 3.6 open source

tools in use for K8S security. Weighted average: 3.6 tools

Overall, just 17% are using a single open

Using multiple open source tools
source tool. This is because there is no one 84%
open source K8s security tool that can do it
all! To use open source effectively means 60%
using more than one technology and
aggregating the integration, management and
mitigation of risks across the different tools.

24%
17%

1 2-4 5-8

Figure 3: Number of Open Source Kubernetes Security Tools in Use

*Percentages do not add up to 100% due to rounding up of

numbers

10
The State of Kubernetes Open Source Security
 Open Source is Used Widely for K8S Security

We asked respondents in which areas they are using their Kubernetes security solutions. In all areas, open source is
used, either exclusively or in combination with commercial solutions.
The top areas where open source is used are service mesh (32%), network policy/microsegmentation (24%), and
misconfiguration scanning (24%). One possible explanation is that several service mesh solutions are CNCF-led
graduated projects (such as LINKERD), allowing users to access greater oversight and more support, which may explain
their wider adoption rates.
As for proprietary/commercial solutions only, the top areas where this approach is used are vulnerability scanning
(51%), secrets protection (51%), and runtime security (51%).

Open Source Open Source + Commercial Commercial Only

Service mesh 32% 21% 47%

Network policy / microsegmentation 24% 28% 48%

Misconfiguration scanning 24% 28% 48%

Admission controller 24% 28% 49%

Runtime security 23% 27% 51%

Vulnerability scanning 23% 26% 51%

Secrets protection 23% 26% 51%

RBAC (role-based-across-control) 22% 31% 47%

Figure 4: Open Source Usage for K8S Security by Area of Usage

11
The State of Kubernetes Open Source Security
 Biggest Challenges Using Proprietary K8S Security Solutions

97% of respondents have challenges when it

comes to using proprietary Kubernetes It’s a “Black box” 69%
security solutions.
The top challenge with proprietary solutions Complex pricing 62%
is that they are a “black box” (69%), where
users have zero or limited control and ability Expensive 47%
to contribute or engage in discussions and
lack oversight and visibility into the code and No community support 14%
its roadmap.
Can’t influence the roadmap 4%
This is followed by complex pricing, meaning
the price is hard to understand or predict
No access to code and can’t contribute 1%
(62%), and solutions that are too expensive
(47%).
There are no challenges 3%

Figure 5: Biggest Challenges of Using Proprietary Kubernetes Security

Solutions

*Question allowed more than one answer and as a result,

percentages will add up to more than 100%

12
The State of Kubernetes Open Source Security
 Top Challenges Using Open Source for K8S Security Solutions

95% of respondents admit to having

challenges when it comes to using open Hard to integrate with other DevOps tools 62%
source solutions for K8S security.
The top challenges are integration with other Hard to manage 51%
DevOps tools (62%), managing Kubernetes
(51%), and setting up Kubernetes (45%).
Hard to set up 45%
For open source Kubernetes security
solutions to thrive, they will need to support
better integration with the existing DevOps No support 21%
technology stack, as well as be easier to
initially set up manage on an ongoing basis.. Too limited, only solving narrow parts of
15%
the problem
Without these benefits, open source
adoption will continue to be inhibited.
There are no challenges 5%

Figure 6: Top Challenges Using Open Source for Kubernetes Security

Solutions

*Question allowed more than one answer and as a result,

percentages will add up to more than 100%

13
The State of Kubernetes Open Source Security
 Complexity of Integrating K8S Security Solutions into Existing
Stack

69% said it is difficult to integrate Kubernetes

security solutions into their existing
Kubernetes stack. Only 31% found it easy or Easy
requiring a regular level of difficulty to 5%
integrate. Very difficult
17%
This could be partly explained by the use of
Regular level of
multiple open source tools as noted above. integration
The more tools that have to work together, the 26%
more challenging integration can become.

Difficult to very
difficult Difficult
69% 52%

Figure 7: Level of Complexity to Integrate Kubernetes Security Solutions into

Existing Stack

14
The State of Kubernetes Open Source Security
 Who Owns vs. Who Should Own K8S Security?

Looking at who owns Kubernetes security in

their organization vs. who they think should 58%
DevSecOps
own this area of the business, we see 63%
DevSecOps (in both cases) take the top spot
58% say DevSecOps currently own this Security
29%
practice, and 63% believe it should. 28%

However, there is still a lack of maturity and 7%

understanding for the term “DevSecOps”, and DevOps
5%
we didn’t ask what the DevSecOps function
looks like in each company, for example where 5%
Developers
it sits in the org chart, or who it reports to. 5%
These answers will vary from organization to
organization, and while it is likely that Ops
2%
DevSecOps will become part of the security 0%
function moving forward, it is currently still Owns Should Own
unclear.
Figure 8: Who Owns and Who Should Own Kubernetes Security?

15
The State of Kubernetes Open Source Security
 Ownership of K8S Security in the Organization by Titles

We looked at who currently owns Kubernetes

Developers
security in the organization today by 5%
Ops DevOps
different titles within the business.
2% 7%
We see gaps between how DevOps, Security
Security
stakeholders and IT people see this issue, 29%
showing there is a clear issue in terms of
Kubernetes security ownership.
Kubernetes security is still a relatively young All Responses
practice (only a few years old), and over the
next few years, the market is likely to decide
where it resides within the business, whether
DevSecOps
that’s DevOps or Security.
58%

2%
3%

6% 7% 6% 5% 8%
26% 15%

According According According

to IT to Security 40% to DevOps
47%
66% 70%

Figure 9: Ownership of Kubernetes Security in the Organization

16
The State of Kubernetes Open Source Security
 Level of Confidence in the Organization's K8S Security Expertise

78% are very to extremely confident in their Extremely Low confidence

organization’s Kubernetes security expertise. confident 1%
9%
This high number could be a reflection of
strict security practices. Perhaps, though, Confident
some organizations may be unfamiliar with (Medium)
the complete threat environment for 22%

Kubernetes-based security, as it is a
relatively new and diverse practice where
expertise is hard to come by.
Very confident
69%
Very to
extremely confident
78%

Figure 10: Levels of Confidence in the Organization's Kubernetes Security

Expertise

17
The State of Kubernetes Open Source Security
 Is K8S an Independent Practice or a Subset of Broader Cloud
Security?

97% view Kubernetes security as a subset of “Independent”

broader cloud security rather than its own practice
3%
independent practice.
Kubernetes security is a young and growing
practice, and it will be interesting to see
whether its unique demands and challenges
see it develop into its own independent
security practice as it matures.

Subset of
broader cloud
security
97%

Figure 11: Kubernetes Security Perceptions as an Independent Practice vs. a

Subset of Broader Cloud Security

18
The State of Kubernetes Open Source Security
 The Biggest Challenges Faced with K8S Security

The top challenges faced with Kubernetes

security are too many alerts (68%), solutions
Too many alerts 68%
that are too fragmented (62%), and that
security is interfering with the organization’s
agility and time-to-market (54%). Solutions are too fragmented 62%

Security is interfering with agility and time-

54%
to-market

Too complicated 51%

No comprehensive solutions 47%

Lack of resources 7%

No bandwidth 5%

Lack of skills and knowledge 3%

We have no challenges 1%

Figure 12: The Biggest Challenges Faced with Kubernetes Security

*Question allowed more than one answer and as a result,
percentages will add up to more than 100%

19
The State of Kubernetes Open Source Security
 Scanning Frequency for K8S Vulnerabilities and Misconfigurations

95% of respondents said they are scanning at

At least weekly 95%
least weekly for Kubernetes vulnerabilities
and misconfigurations. This means that most
62%
organizations are following good security
practice and keep good hygiene of their
Kubernetes environments.
However, when looking at the breakdown of
answers by seniority, we see a striking
difference between the perception and
16% 16%
reality of VP and C-level executives (figure
14). 4%
1% 1%
These executives overestimate the frequency
of scanning with 38% believing it’s done Every few Every day Every week Bi-weekly Monthly Upon major
every few hours. In contrast, only between hours changes

10-19% of those “in the trenches” agree. Figure 13: Scanning Frequency for K8S Vulnerabilities and Misconfiguration

38%

19%
16% 14%
10%

All Responses Team members Manager Director VP+C

Figure 14: “Every Few Hours” by Job Seniority

20
The State of Kubernetes Open Source Security
 Time to Fix Misconfigurations and Vulnerabilities

We asked how often do misconfigurations and

vulnerabilities that have been found get fixed? 98% - At least weekly
98% said every week or more frequently.

51%
45%

2% 1% 1%

As soon as they Daily Weekly Bi-weekly Monthly or less

are found

Figure 15: Time to Fix Misconfigurations and Vulnerabilities

21
The State of Kubernetes Open Source Security
Knowledge for Handling K8S Security – Developers vs. Security Teams

We asked respondents if they believe that

their developers and security teams are 0%
Not at all knowledgeable
knowledgeable about security in order to 0%
effectively handle the security of their
0%
organization’s Kubernetes environments. Low level of knowledge
2%
Only 10% consider their developers and
security teams to be experts. This is 21%
Medium level of knowledge
20%
unsurprising as it’s still a young practice
which is very complex, and it requires 69%
High level of knowledge
expertise that not many have had time to 68%
amass.
10%
Expert level of knowledge
10%

Developers Security Teams

Figure 16: Level of Developers Knowledge About Security for Handling

Kubernetes Environments

22
The State of Kubernetes Open Source Security
 Top K8S Security Concerns

Top Kubernetes security concerns are

identifying potential malware and attacks in Identify potential malware and attacks in
100%
my production environment
the production environment (100%),
preventing malware and attacks (100%), and Preventing malware and attacks 100%
checking their environment for
misconfigurations (95%). Checking my environment for
95%
misconfigurations
It's important to think about runtime security
Deploying network policies or network
versus security posture. While the first two segmentation
86%
challenges are related to runtime security for
example, misconfigurations are part of Searching and detecting SW vulnerabilities 84%
maintaining a strong security posture.
Enforcing policies on what I want to allow
40%
Enforcing policies may be currently seen as to run in my environment
more of a management issue than a security Validating images running in my
23%
issue, but it could be a serious security blind environment
spot if it isn’t made a greater priority for
today’s businesses.
Figure 17: Top Kubernetes Security Concerns

*Question allowed more than one answer and as a result,

percentages will add up to more than 100%

23
The State of Kubernetes Open Source Security
 Roles of K8S Security Tools in Regulation Compliance Requirements

The primary roles of Kubernetes security tools

in relation to regulatory compliance
Prevent vulnerable containers 71%
requirements are preventing vulnerable
containers (71%), producing periodic inventory
reports (66%), and verifying least privilege
Produce periodic inventory reports 66%
rights (31%).

Verify least privileged rights 31%

Enforce least privileged rights 18%

Enforce network segmentation 14%

Figure 18: Roles of Kubernetes Security Tools in Regulation Compliance

Requirements

*Question allowed more than one answer and as a result,

percentages will add up to more than 100%

24
The State of Kubernetes Open Source Security
Demographics
25
The State of Kubernetes Open Source Security
 Country, Department, Role, Seniority & Company Size

R&D/Engineering Software
1% Developer
7%
APAC
14%
IT Cyber
24% security
DevOps DevSecOps
40% 23% 36%
North
Europe America
29% 57%
Cyber
security DevOps
36% 35%

Figure 19: Country Figure 20: Department Figure 21: Role

34%
33%
30%
25%

15%
13% 12% 13%

6% 6% 6%
4% 5%
1%

Manager Director Team Specialist Analyst VP/Head SME C-suite < 100 100-199 200-249 250-999 1,000-4,999 5,000+
Member people people people people people people

Figure 22: Seniority Figure 23: Company Size

26
The State of Kubernetes Open Source Security
 About ARMO

ARMO, the creators of Kubescape, is building the first end-to-end open-source Kubernetes Security platform, made for
DevOps.
Our patented technology and open-source solutions fit natively within the CI/CD pipeline and existing development
tools, assuring DevOps, DevSecOps, and developers that every Kubernetes’s cluster, container, and microservice is
born and remains secure, from development to production and from configuration to run-time, every time.
Kubescape scans Kubernetes clusters, Manifest files (e.g. YAML, HELM), Code repositories, Container image registries,
worker nodes and API servers, detecting misconfigurations according to multiple frameworks (such as the NSA-CISA,
MITRE ATT&CK and more), and isolating software vulnerabilities and RBAC (role-based-access-control) violations at early
stages of the CI/CD pipeline. It also calculates risk score instantly and shows risk trends over time.
• Join the discussion on Discord - https://discord.gg/DWv4gPgCzU
• Get involved on Kubescape GitHub page - https://github.com/kubescape/kubescape
• Follow us on Twitter - https://twitter.com/armosec
• Sign up for Kubescape cloud (free forever for up to 10 worker nodes) -
https://cloud.armosec.io/account/sign-up

27
The State of Kubernetes Open Source Security