Build securely with Snyk and GKE Autopilot

Speak with any customer in tech and the word Kubernetes will surely find its way into the conversation at some point or another. In terms of orchestration, automating deployments, scaling, managing containerized applications to meet growing customer demand, Kubernetes provides users with extensibility and flexibility. This key benefit of Kubernetes technology, or K8s for short, alongside the fact that K8s was developed running production workloads at Google, is the reason the industry has seen such broad adoption for it.

Google Kubernetes Engine (GKE) was built with Google’s unique spirit of innovation to provide customers with a managed service to run Kubernetes workloads on Google Cloud. With the recent release of GKE Autopilot, customers benefit from achieving increased operational efficiency through a new mode of operation that reduces operational costs and provides optimized cluster configurations that adhere to best practices, scale, and support production workloads.

Modern applications

In the context of building modern applications, there are various layers associated with what constitutes the application. For example, any containerized workload is likely to include at least four different elements such as the container image, application code, open source dependencies, and application configuration. Each of these layers presents a potential vector for a bad actor to take advantage of vulnerabilities, exploits, and misconfigurations.

The Snyk platform is designed to help developers build software securely across the cloud native application stack, including code, open source, containers, Kubernetes, and infrastructure as code (IaC).

Comprehensive security

Gaining visibility into potential vulnerabilities in your application that span the various layers is just a starting point. Snyk provides developers with actionable insights that fulfill the basic requirements of providing visibility as well as prioritization and remediation advice.  Finding security issues is good, but having a reliable path to fixing them is better. Snyk scales security capabilities by enabling developers to eliminate vulnerabilities in container images, either having them upgrade to a more secure base image or rebuild the app when the base image is outdated.

Snyk brings application and container vulnerabilities together. You may not always have access to the original source code that runs in your containers, but vulnerabilities in your code dependencies are still important to understand. Snyk can detect and monitor open source dependencies for popular languages as part of the container scan as well as misconfigurations of your Kubernetes manifests.

Scanning workloads

Snyk is available in the Google Cloud Marketplace today. Customers on a Snyk Business or Enterprise plan can easily enable our Kubernetes integration and begin securing their workloads on GKE, including Autopilot clusters, in just a few clicks. In this post, we'll guide you through the process of provisioning a GKE Autopilot cluster as well as deploying a sample application and snyk-monitor Helm chart.

So let’s go through some examples of basic steps you could run in a terminal or Cloud Shell to deploy Snyk Container on GKE Autopilot.

Create the namespace

1kubectl create namespace snyk-monitor

Create the secret

1kubectl create secret generic snyk-monitor -n snyk-monitor \    
2  --from-literal=dockercfg.json={} \
3  --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234

Add the Helm repo

1helm repo add snyk-charts https://snyk.github.io/kubernetes-monitor/ --force-update

Install the chart

1helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \
2  --namespace snyk-monitor \
3  --set pvc.enabled=true \
4  --set pvc.create=true \
5  --set pvc.name="snyk-monitor-pvc" \
6  --set clusterName="my-cluster" \
7  --set nodeAffinity.disableBetaArchNodeSelector=true \
8  --set requests.memory="512Mi" \
9  --set requests."ephemeral-storage"="50Gi" \
10  --set limits."ephemeral-storage"="50Gi"

Running these commands will result in a deployment of Snyk on GKE Autopilot where workloads can be scanned and monitored with Snyk.

Review findings

Projects monitored by Snyk will provide you with a summary report that shows a high-level view of the various layers of your application, along with total vulnerability counts grouped according to their severity. In this case, we see two Kubernetes deployments associated with a sample application that include information on the container image as well as the open source dependencies in the application code.

If we drill deeper into one of the deployments, we are able to see an expanded view where additional information is provided. For example, we can review rich contextual data on the vulnerabilities found in our application as well as misconfigurations in our Kubernetes manifests. Thanks to GKE Autopilot’s built-in optimizations, we immediately reduce some misconfigurations by automatically applying memory and CPU limits at time of deployment. Our example manifest file intentionally omitted defining a security context, but Kubernetes security best practices and the proficiency to apply them varies across customers, making it all the more important to give provide visibility into these issues, and more importantly, recommendations on how to resolve them.

Drilling into the security findings for the container image used by our application gives developers a quick path to remediation by providing a recommendation on a suitable upgrade path. Developers can quickly make an informed decision on which image is suitable for mitigating security issues.

These findings, along with Software Composition Analysis (SCA) results, provide developers with comprehensive coverage across the various layers of the modern cloud native application.

The Snyk Code AI engine, which uses a special process that combines machine learning from millions of open source commits and human-in-the-loop feedback from the Snyk Security Research team, helps make the report that much more robust.

Conclusion

The Snyk platform works seamlessly with GKE Autopilot: a revolution in managed Kubernetes. Customers can quickly get started securing workloads on GKE Autopilot with Snyk Container's Kubernetes integration and can leverage Snyk CLI with Google Cloud Build, as well as integrations with Google Container Registry, Google Artifact Registry, and one of the several Snyk Git repository SCM integrations.

To learn more about how to build Kubernetes workloads securely, sign up for a free Snyk account!