State of Kubernetes Security Report

in DevOps , Kubernetes , DevSecOps


Adopting containers and Kubernetes in production increases security threats mostly from human error, and vulnerabilities of all sorts cripple the confidence organisations have in their production environment. This annual report, initially conducted by Stackrox and now acquired by Redhat, explores the Kubernetes and container market, focusing on security-as, the leading challenge faced with the technologies.

    The report questions Kubernetes and cloud native professionals to assess the rate of adoption of the technologies and the security challenges accompanied by them.

    This year's edition presents survey results from over 500 respondents, with the majority of them being product development, engineering, and operations personnel.

    25% of the respondents work in companies with 1-100 company size while 24% and 21% work in companies within the sizes of 101-1000 and 10,000+ respectively- with preponderance (54%) of the companies in the Education industry.

    For the 2021 edition, this is a compendium of the important findings from the respondents.

    Security concerns strongly inhibit the fast deployment

    Image courtesy: Image courtesy:

    The last State of Kubernetes Security report was released during winter last year. Still, nothing has seemed to change in organizations' confidence concerning the security of containers, Kubernetes, and cloud native technologies in production. It appears that more organizations are losing faith in the safety of their containers.

    Compared to 44% recorded in the previous year, 55% of the survey respondents agree that they have delayed or slowed down the deployment of an application into production for one security issue or the other.

    Containerization, Kubernetes, and various other cloud native technologies promise agility and speed in developing and deploying applications. But, the increase in the number of respondents that have delayed deployment of applications into production due to security issues shows that many of these organizations are not genuinely harnessing the most authentic benefit of containers—faster application delivery.

    Almost every respondent experienced a security issue in their Kubernetes environment in the last 12 months

    In compliment with the previous data—that the majority has delayed production because of security—and maintaining the exact figure with the year earlier, 94% of the respondents said that they had experienced at least one security issue related to their container or Kubernetes in past 12 months.

    Image courtesy: Image courtesy:

    Among the major known causes of these security issues are failed audit (20%), major vulnerability (31%), and security incidents during runtime (32%); misconfiguration being the leading cause, 59%.

    Kubernetes and containers are complex technologies and the configuration requirements for workloads from one another.

    Considering the complexity, it may be challenging to achieve the sufficient required security configurations for the workload accurately.

    Even though it has reduced compared to the previous year (69%), the dominance of human error in the causes of security incidents shows that professionals need to work more on the proper configuration of their Kubernetes environment to reduce security breaches.

    Security is a major concern for companies using containers

    When it comes to containers, security and compliance threats remain the biggest fear of companies embracing the technology. This, however, does not come as a surprise since nearly all respondents (94%) have experienced a security compromise in recent months.

    Respondents cited inadequate investment in container security as the leading concern about their company's container strategy.

    Image courtesy: Image courtesy:

    16% states that they don't take threats to container security seriously, while another 14% don't account for compliance needs.

    These top-stated causes might be responsible for the whooping percentage of security threats and companies need to pay more attention and invest more in security—even though it has improved since the last year (37%)—to enjoy the speed to market offered by containerization.

    The majority of organizations have a container security strategy in place

    Image courtesy: Image courtesy:

    A summative 67% of the survey respondents attest that they have a container security strategy in place, out of which 30% have a basic security strategy, and 26% and 11% have an intermediate and advanced container security strategy in place, respectively.

    26% of the respondent are in the planning stage of their container security strategies, while only 7% have none in existence.

    Even though there is a slight decrease in the individual figures for intermediate (25%) and advanced (30%) security strategies compared to last year, the data is still positive. Organizations, however, need to make more investment in putting a container security strategy in place.

    DevOps is held most responsible for Kubernetes security

    The Ops, DevOps, and DevSecOps roles are considered the most responsible for Kubernetes security, with DevOps leading the pack with 27% and Ops and DevSecOps trailing with 21% and 18%, respectively.

    Image courtesy: Image courtesy:

    A fewer percentage of the respondents consider Security roles and Developers responsible for cloud native security.

    Considering that DevOps facilitate Kubernetes, containers, and other cloud native technologies, this bias is quite understandable.

    However, security should be a collective effort. More organizations need to engage the Security teams and developers in securing their cloud-native tech stack.

    74% of organizations have a DevsecOps initiative

    Image courtesy: Image courtesy:

    49% of the survey respondents confirm that there are collaborations between the DevOps and security teams in their organizations. In comparison, 25% agree that the collaboration is on an advanced level with integration and automation of security at various stages of development.

    With just 26% of the respondent saying the DevOps and Security teams in their organizations work separately, this is a positive note for the DevSecops practice. It allows security to be inclusive for all parties involved in cloud native operations.

    With attacks and vulnerabilities trailing, misconfiguration remains the top security threat for organizations

    As the leading cause of Kubernetes security incidents, misconfiguration remains the most prominent security concern for organizations.

    Image courtesy: Image courtesy:

    47% of respondents cite that they worry the most about misconfiguration of their Kubernetes environment, while 31% fear the most about vulnerabilities and just 21% worry the most about attacks and compliance.

    The higher fear of misconfigurations and its dominant role in security incidents cites a dire need to address the issue with automated configuration tools and more skilled professionals and security experts who should collaboratively conclude on the right and best configurations for various workloads.

    Organizations continue to be afraid of the runtime phase of their container lifecycle

    Image courtesy: Image courtesy:

    Nearly half (49%) of the survey respondent says that their organization worries the most about their container's runtime lifecycle because of the potential security threats its expose to in the phase. This figure is a decline from the previous year's confidence which the percentage of worry at runtime stood at 43%.

    Considering the data about misconfiguration, it can be understood that it might have contributed to the worry of containers at runtime. Actively addressing misconfiguration and other security issues will instill confidence in container security at runtime.

    Cloud-only deployment strategy decline; hybrid grows; Redhat leads hybrid/multi-cloud

    The combined deployment on single and multi-cloud-only retraced from the previous year's 40% to 28%, while hybrid (on-prem and one or multi-cloud) grows slightly from 46% in the last year to 47%.

    Image courtesy: Image courtesy:

    However, 26% of respondents cite that their organizations stick to on-premise only to deploy their cloud native workloads to production.

    RedHat is the leading solution respondents use in deploying hybrid and multi-cloud containerized applications, while AWS Outpost trails in a close margin at 32%. Microsft Azure Arc claims 25% of the hybrid/multi-cloud deployment market while Google Arthos follows closely with 24% and VMware, Oracle lagging with 13% and 4%, respectively.

    Docker, Kubernetes maintain dominance as runtime container and orchestration platforms; Amazon EKS increases its authority

    Image courtesy: Image courtesy:

    Docker takes a minute retrace to 85% as the dominant runtime container platform compared to 89% from the previous year.

    As a slight increase from the previous year's report, 86%, Kubernetes usage as an orchestration platform stands at 88%.

    Image courtesy: Image courtesy:

    AWS' managed Kubernetes service, Amazon EKS, increases its dominance to slightly more than half of the Kubernetes market at 51%, moving up 24% from its authority in the previous year's report.

    You may also like reading:

    Get similar stories in your inbox weekly, for free

    Share this story:
    The Chief I/O

    The team behind this website. We help IT leaders, decision-makers and IT professionals understand topics like Distributed Computing, AIOps & Cloud Native

    Latest stories

    How ManageEngine Applications Manager Can Help Overcome Challenges In Kubernetes Monitoring

    We tested ManageEngine Applications Manager to monitor different Kubernetes clusters. This post shares our review …

    AIOps with Site24x7: Maximizing Efficiency at an Affordable Cost

    In this post we'll dive deep into integrating AIOps in your business suing Site24x7 to …

    A Review of Zoho ManageEngine

    Zoho Corp., formerly known as AdventNet Inc., has established itself as a major player in …

    Should I learn Java in 2023? A Practical Guide

    Java is one of the most widely used programming languages in the world. It has …

    The fastest way to ramp up on DevOps

    You probably have been thinking of moving to DevOps or learning DevOps as a beginner. …

    Why You Need a Blockchain Node Provider

    In this article, we briefly cover the concept of blockchain nodes provider and explain why …

    Top 5 Virtual desktop Provides in 2022

    Here are the top 5 virtual desktop providers who offer a range of benefits such …

    Why Your Business Should Connect Directly To Your Cloud

    Today, companies make the most use of cloud technology regardless of their size and sector. …

    7 Must-Watch DevSecOps Videos

    Security is a crucial part of application development and DevSecOps makes it easy and continuous.The …