Introducing Red Hat Advanced Cluster Security for Kubernetes
Containers and microservices have triggered a tectonic shift in application infrastructure, and Kubernetes technology is rapidly taking over the world as a tool to help automate the management of these new application building blocks. Infrastructure dramatic changes brought security along with them, and new tools and processes were needed to protect the cloud-based application stack. Today, in the Kubernetes world, it is not enough to protect only containers and images; you need a comprehensive solution that ensures the security of the Kubernetes environment as a whole.
At the end of April 2021, Red Hat announced a new revision of its OpenShift platform - OpenShift Platform Plus, which includes the Red Hat Advanced Cluster Security for Kubernetes solution based on StackRox technologies. Today we will tell you what security tasks OpenShift closes this product, as well as analyze the advantages of the Kubernetes-oriented approach implemented in it to protect container applications.
Benefits of Kubernetes-Oriented Security
Traditional, container-oriented security solutions for cloud infrastructures have three critical flaws:
- Visibility - These solutions only see images, image components, and running containers, but are not aware of the Kubernetes environment itself.
- Context deficiency - in container-oriented approaches, actions can only be based on a context that applies only to the containers themselves, that is, these are vulnerabilities (detected by scanning) and CVE (Common Vulnerabilities and Exposures) classifier entries.
- Scalability Issues with Policy Enforcement - Because containers themselves do not have sufficient controls, container-centric solutions require third-party components that introduce operational risks and do not automatically scale with Kubernetes.
Red Hat Advanced Cluster Security for Kubernetes was originally designed for a modern cloud-based application stack. This platform provides many deep integrations with Kubernetes to make security as portable, scalable, and resilient as the hybrid cloud infrastructure itself. In addition, with a Kubernetes-centric approach, this solution provides the broadest set of capabilities for securing containers and Kubernetes throughout the entire application lifecycle.
All these advantages, due to tight integration with Kubernetes, allow us to offer customers a higher final level of security. While many container security vendors share a common set of scenarios, the end result depends on how you implement those scenarios. Next, we'll take a look at basic OpenShift scenarios to illustrate the benefits of a Kubernetes-oriented architecture.
Visibility
You cannot protect what you do not know about. Therefore, the first thing you need to know is what is and what is happening in your OpenShift environment: what images are used, where they come from, whether they contain vulnerabilities and how critical, and this is just the beginning. In addition, you need to know in which pods, namespaces and deployments vulnerable containers are executed, what their attack surface is and the potential radius of damage in the event of a security breach.
This is precisely the awareness that Red Hat Advanced Cluster Security for Kubernetes provides, allowing you to see the OpenShift environment as a whole and related security issues, including images, containers, and vulnerabilities with CVE IDs and severity ratings.
This awareness is further enhanced by contextual data that is sourced from Kubernetes itself, such as allowed network paths, runtime processes, secret disclosures, and other environment attributes.
Vulnerability management
One of the key tasks in securing containers in OpenShift is prohibiting the use of container images that contain already known and recoverable vulnerabilities, as well as identifying and stopping such containers if they are already running. In addition, in order to enforce policies during the build, deployment, and runtime stages, you need to be able to scan images, deployments, and clusters for vulnerabilities on demand.
Also, the vulnerability management system should integrate with the CI / CD pipeline to block a build if it contains a vulnerability, and at the same time inform the developer about the reasons for the block and how to fix it.
Red Hat Advanced Cluster Security for Kubernetes provides full lifecycle scanning of containers and images. The solution combines information on the vulnerability found with Kubernetes data and information about the lifecycle stage affected by the vulnerability to quantify the security risks of that vulnerability specific to your environment. It also allows you to accurately determine which pods, namespaces, deployments and clusters are affected.
Compliance
The current and rapidly evolving approach of DevOps relies heavily on automation as a way of continuous improvement. Therefore, organizations today need a compliance management system that complements rather than hinders DevOps. At the same time, the customer must not only comply with industry requirements, but also provide evidence that this is being done on a regular basis.
Finally, it is necessary to adhere to internal corporate security configuration policies and other best practices to ensure that non-build-compliant deployments do not end up in production.
Our Kubernetes-centric security solution comes with CIS audits for Docker and Kubernetes, as well as other industry standards such as PCI, HIPAA, NIST SP 800-90, and SP 800-53. Compliance reports can be generated in one click and presented to auditors as evidence of compliance.
Segmentation of the network
Containers communicate with each other through nodes and clusters (east-west traffic) and external endpoints (north-south traffic). As a result, a vulnerability in one container can hit many other containers as well. Therefore, it is extremely important to limit the interaction of the container on the principle of least privilege, but without prejudice to its functional tasks.
Our approach to network segmentation relies on Kubernetes' built-in Network Policies to provide reliability, portability, and scalability with Kubernetes. It also ensures that security people, IT operators, and developers use the same source of truth and a holistic view of information to effectively delineate network access.
Risk profiling
One of the most pressing challenges customers face is the sheer volume of investigated security incidents and warnings without the slightest indication of their priority. This inevitably leads to the fact that high-risk problems are addressed later than they should, or even not eliminated at all, since specialists are busy with responding to lower priority problems, or not responding to them at all due to the volume of these messages.
Therefore, Red Hat Advanced Cluster Security for Kubernetes outputs a numerical risk value corresponding to the threat level for each deployment based on information throughout the entire application lifecycle. We correlate image-level vulnerabilities and severity with rich contextual data, and help you quickly understand which deployments need to be fixed first.
Configuration management
The configuration options for containers and Kubernetes are extensive and can be challenging for security professionals. In large container and Kubernetes environments, it is impractical to assess risk by manually checking all security parameters of each object.
CIS Benchmark for Docker and Kubernetes, of course, provide useful guidelines and an appropriate framework, but they still involve hundreds of checks on various configuration parameters. If you don't have automation, it can be difficult to consistently follow these and other best practices.
Therefore, in Red Hat Advanced Cluster Security for Kubernetes, we give the customer a deployment-oriented view of how their images, containers and deployments are configured even before they are launched, in order to timely identify inconsistencies with best practices and recommendations. Our solution also assesses how you use RBAC Role-Based Access to understand the privileges of user and service accounts and to identify configurations that are risky. And by tracking how secrets are being used, you can identify unnecessary disclosures and proactively restrict access to them.
If a misconfiguration is detected, our solution allows you to create custom policies or use one of the predefined rules to enforce configuration enhancements, both at build using integration with the CI / CD pipeline, and at deployment time by using admission control.
Search and response at runtime
After the image is assembled and deployed to production, it becomes a target for external attacks and new threats. The primary goal of run-time security is to detect and respond to malicious activity in an automated and scalable manner, minimizing false positives and the waste of personnel from the security warnings shaft.
Red Hat Advanced Cluster Security for Kubernetes is able to distinguish real threats from benign anomalies. It does this by combining automatic process detection and behavioral baselining with automatic creation of allowed process lists.
The solution also has ready-made profiles to identify common threats, including cryptocurrency mining, escalation of privileges, and various other exploits. By leveraging native Kubernetes controls to combat threats, such as killing and restarting suspicious pods or scaling deployments to zero, our solution ensures that incident response does not lead to application downtime or other operational risks.
Conclusion
In theory, native container and Kubernetes management tools have all the potential to create the most secure applications possible. However, in practice, correctly setting all parameters and options is a very difficult task. Red Hat Advanced Cluster Security for Kubernetes is a next-generation security system whose architecture is maximally focused on both containers and Kubernetes. By leveraging declarative data and built-in Kubernetes controls, our solution minimizes operational risks, increases developer productivity, and lowers operational costs, while also immediately increasing security. Leave a request and we will give you a personal demo of Red Hat Advanced Cluster Security for Kubernetes.