Full Report
Wiz CLI and Wiz Admission Controller enable developers to leverage a single security policy throughout the software pipeline for cloud-native environments.
Analysis Summary
# Best Practices: Operationalizing Kubernetes Security Shift Left with Admission Control
## Overview
These practices focus on integrating security controls earlier in the Software Development Lifecycle (SDLC)—specifically at the Kubernetes deployment phase—to prevent insecure configurations from reaching production environments. This is achieved primarily through the use of a Kubernetes Admission Controller integrated with a unified security policy platform.
## Key Recommendations
### Immediate Actions
1. **Deploy the Admission Controller:** Immediately deploy and enable the security Admission Controller within your Kubernetes clusters to begin enforcing policies at resource creation/modification time.
2. **Establish Centralized Change Monitoring:** Configure the platform to centrally view all attempted resource changes (create/update) and immediately review any admission policy failures to identify common misconfigurations.
3. **Enable Basic Privilege Blocking:** Configure initial fine-grained policies to immediately block deployments exhibiting highly risky behaviors, such as enabling unrestricted, privileged system-level calls or granting read/write access to highly sensitive directories.
### Short-term Improvements (1-3 months)
1. **Implement Unified Policy Framework:** Utilize a single, unified policy framework (like Wiz Guardrails) that spans the CI/CD pipeline (via CLI scanning) and deployment time (via Admission Controller) to ensure consistent security language across development and security teams.
2. **Configure Event-Based Alerting:** Configure rules based on Admission Controller generated cloud events to identify suspicious activities, such as potential brute-force attacks against the Kubernetes API, and set up immediate alerts for these critical events.
3. **Integrate Developer Feedback Loop:** Ensure the centralized view of policy failures is easily accessible to development teams, enabling rapid feedback and iteration on insecure deployments within the development cycle.
### Long-term Strategy (3+ months)
1. **Develop Custom Security Alerts:** Leverage the platform's capabilities (e.g., Wiz CDR) to define custom alerts based on specific, high-severity admission controller events to proactively hunt for novel threats or complex policy violations.
2. **Maturity Assessment:** Review admission review rates quarterly to assess the effectiveness of upstream "shift left" scanning (CLI scans) and identify areas where developer training or infrastructure-as-code policies need improvement to reduce deployment-time rejections.
3. **Build Cross-Team Trust:** Establish regular meetings between security and engineering teams, using the centralized platform data, to foster a shared security understanding and minimize perceived security bottlenecks.
## Implementation Guidance
### For Small Organizations
- **Focus on Defaults:** Start by enforcing a strict "deny-by-default" posture for critical resource types (Pods, Deployments) using a baseline, curated set of security policies to minimize initial configuration overhead.
- **Leverage Central View:** Use the centralized admissions review page as the primary tool for auditing and identifying initial widespread configuration drift, prioritizing remediation based on failure frequency.
### For Medium Organizations
- **Phased Rollout:** Implement the Admission Controller in audit mode first for a set of non-critical clusters, then gradually shift to enforcement mode for critical services once policy tuning is complete.
- **Policy Granularity:** Define role-based access controls (RBAC) around policy definition and enforcement, ensuring that only authorized security personnel can create/modify the core enforcement policies.
### For Large Enterprises
- **Segmented Policy Enforcement:** Develop and enforce distinct, segmented security policies based on the environment (e.g., Development vs. Production) and application criticality, leveraging the fine-grained control capabilities.
- **API Integration:** Integrate the standardized security insights (policy failure data) from the admission controller into existing ticketing and orchestration systems to automate remediation workflows for high-volume engineering teams.
## Configuration Examples
*(Note: Specific platform commands are redacted as they require proprietary account access, but the configuration goals are defined below.)*
* **Fine-Grained Control Example (Policy Goal):** Configure the Admission Controller to **DENY** any Pod specification that attempts to set `hostPID: true` or mounts the `/etc` directory with read/write access unless explicitly approved via a specific exception label.
* **Event Rule Example (Alerting Goal):** Configure a high-severity alert rule that triggers immediately whenever five or more API requests targeting the Kubernetes API server fail admission validation checks within a 60-second window, indicating potential automated scanning or attack.
## Compliance Alignment
- **NIST CSF:** Identify/Protect/Detect/Respond (Focus on Protect functions via preventative controls at deployment).
- **ISO 27001:** A.14 (System Acquisition, Development, and Maintenance - specifically controlling changes to deployed systems).
- **CIS Benchmarks for Kubernetes:** Directly supports hardening objectives by preventing deployment of insecure workloads and configurations.
## Common Pitfalls to Avoid
- **Policy Misconfiguration in Production:** Never deploy the Admission Controller directly into enforcement mode across all critical production clusters without prior rigorous testing in staging environments using audit logs.
- **Ignoring Audit Data:** Failing to review the centralized view of admission failures leads to missed opportunities to fix policy violations upstream, effectively negating the "shift left" value.
- **Over-Enforcement:** Setting policies too restrictively initially, which can halt developer velocity and lead to security teams being bypassed entirely (shadow IT). Start permissive, then tighten.
- **Siloed Policy Management:** Managing Kubernetes configuration security policies separately from container image scanning policies, undermining the goal of a unified security framework.
## Resources
- Wiz Admission Controller Documentation (Login Required): [Wiz Docs - Wiz AC Overview]
- Wiz Security Platform Solutions: [Wiz Container and Kubernetes Security Solution Page]
- Educational Material on Security Strategy: [Wiz Academy - Shift Left Security]