Open source tools are a key part of the Kubernetes security environment, with most companies using open source Kubernetes security software, research by ARMO has revealed. In a survey of The State of Kubernetes Open Source Security, 55% of respondents said they used at least some open source tools to keep their Kubernetes clusters safe; this includes those who use purely open source and those mix open source and proprietary solutions.
The research revealed it is very common to use more than one open source security offering. Almost a quarter of respondents use five or more different open source security tools for Kubernetes. Many open source tools only do one security-related task, forcing the use of multiple tools to get comprehensive coverage.
However, this mixed approach poses challenges, especially with integration. Users find open source security solutions are difficult to integrate with other DevOps tools (62%), to manage (51%) and to set up (45%). Digging deeper, 69% admit it’s difficult or very difficult to integrate open source security tools into their existing Kubernetes stack. These challenges may be exacerbated by the fact that open source tools, by their nature, often have limited documentation, support and guidance.
This fractured security environment can lead to other problems. 68% of practitioners cited “too many alerts” as one of their biggest challenges with Kubernetes security, alongside overly fragmented solutions (62%), complexity (51%) and the lack of comprehensive solutions (47%). The other major problem raised was that security interferes with agility and time-to-market (54%).
However, proprietary solutions have challenges too. 69% of respondents mentioned that proprietary security tools are “black boxes”, giving users little insight into how they work and how they are coded, and making them harder to modify to a company’s unique needs. Other challenges related to cost, with 62% noting the complex pricing models of paid Kubernetes security solutions and 47% citing the sheer expense.
The survey revealed significant consensus around responsibility for Kubernetes security, with 58% saying it was a DevSecOps responsibility and 63% saying it should be — this does suggest some misalignment in practice. However, this raises the question of what DevSecOps is, precisely, and where it sits in an organization, whether as a subdiscipline of DevOps or a Dev and Ops focused role inside security.
“Open source tools are free, flexible and transparent, but they still tend to be narrow, doing only one thing very well,” said Craig Box, VP Open Source at Armo. “This survey shows that even organizations who use expensive black-box proprietary solutions often choose to use some open source options too. Another approach some companies are taking is to cobble together full Kubernetes security coverage from multiple tools, but then they run into integration challenges and can find themselves buried in alerts.”
The survey was conducted by Global Surveyz in July–August 2022. Respondents were 200 Kubernetes users in companies that ranged in size from >100 to 5,000+ employees. All were software developers or stakeholders from cybersecurity teams, DevOps and DevSecOps. 57% of respondents were from North America, 29% in Europe, and 14% in APAC.