Secure Kubernetes Clusters With RedHat Advanced Cluster Security (RHACS)
By Balaji Kadambi, Yogendra Srivastava
Container technologies are the default choice to host applications and services given the flexibility, portability and scalability they offer. Kubernetes is the leading platform for managing containers. According to the report from Datadog(9 Insights on Real-World Container Usage), nearly half of container organizations run Kubernetes to deploy and manage containers in a growing ecosystem. The ability to run Kubernetes anywhere based on business needs is fueling the adoption. There are many flavours of Kubernetes distribution available, and among them RedHat OpenShift is the most popular distribution of Kubernetes with a market share of more than 48%.
There are no two opinions on the importance of security when it comes to hosting an application or service on the Kubernetes platform. According to the Kubernetes adoption, security, and market trends report 2023 -
67% of companies have delayed or slowed down deployment due to a security issue
37% of respondents identified revenue or customer loss as a result of a container and Kubernetes security incident.
83% of respondents have a DevSecOps initiative underway.
More than 50% of respondents are worried about misconfigurations and vulnerabilities and is a top concern.
Use of open source software is big concern for software supply chain security for 32% of respondents.
What are the security concern areas with container technologies?
The NIST SP 800-190 document explains the security concerns associated with application container technologies, and makes practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers. The concerns are categorized into various areas - Image, Registry, Orchestrator, Container and Host OS.
There are recommended countermeasures for the security risks in all the above areas, and the most effective way to improve the security of containerized applications in Kubernetes environments is to embed security controls into each phase of the container life cycle: build, deploy, and run.
Ensuring consistent security controls using RedHat Advanced Cluster Security for Kubernetes and OpenShift clusters
Red Hat Advanced Cluster Security for Kubernetes incorporates the countermeasures and it can seen in all the different features of the product.
RHACS follows DevSecOps and integrates security testing at every stage of the software development process to secure the software supply chain, infrastructure and workloads.
Components of RHACS
RHACS has five major components that are deployed on the clusters. The Central and Scanner component are deployed on a separate hub cluster. The sensor, admission controller and collector component are deployed on all the individual clusters where security controls need to be implemented.
Central is the main component of Red Hat Advanced Cluster Security for Kubernetes, and it is installed as a Kubernetes deployment. It handles data persistence, API interactions, and user interface (Portal) access. You can use the same Central instance to secure multiple OpenShift Container Platform or Kubernetes clusters.
Scanner analyzes all image layers to check for known vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list. The Scanner also identifies vulnerabilities in package managers' packages and dependencies for multiple programming languages.
Sensor component monitors Kubernetes and OpenShift Container Platform clusters. It handles interactions with the OpenShift Container Platform or Kubernetes API server for policy detection and enforcement, and it coordinates with Collector.
Admission controller prevents users from creating workloads that violate security policies in Red Hat Advanced Cluster Security for Kubernetes.
Collector collects and monitors information about container runtime and network activity. It then sends the collected information to Sensor.
Features and functional aspects of RHACS
The objective for an enterprise would be to ensure consistent security controls across all the Kubernetes and OpenShift clusters across the organization. The User Interface portal hosted on the Central component provides a Dashboard and other administrative pages to configure security policies, check compliance to standards(such as PCI, NIST, HIPAA etc.), segment networks, view the risks and more for all your enterprise clusters. All the clusters are configured to send data to the Central component of the RHACS to scan, analyze, detect and report security violations. This ensures a consistent implementation of security controls across all the clusters in the enterprise.
Let us look at the different features and functionalities of RHACS below:
The RHACS Dashboard is a single pane window to view information about levels of risk in your environment, compliance status, policy violations, and common vulnerabilities and exposures (CVEs) in images across all your Kubernetes clusters.
Configuring Security policies: The security controls are configured for clusters using security policies. You could use out-of-the-box security policies and also define custom multi-factor policies for your container environment. Configuring these policies enables you to automatically prevent high-risk service deployments in your environment and respond to runtime security incidents. The phase of the container lifecycle (build, deploy, or runtime) that this policy applies to can be specified.
Risk analysis: The Risk view lists all deployments from all clusters, sorted by a multi-factor risk metric based on policy violations, image contents, deployment configuration, and other similar factors. Deployments at the top of the list present the most risk.
Compliance: RHACS comes pre-built with compliance checks for CIS benchmarks for Docker and Kubernetes as well as other industry standards such as PCI, HIPAA, and NIST SP 800-90 and SP 800-53 to ensure continuous compliance across your container environment. Compliance reports can be generated with a single click and handed to auditors as evidence.
Network segmentation: Visualize existing connections and enforce tighter segmentation using Kubernetes-native controls to reduce your blast radius. Containers pose a unique networking challenge because containers communicate with each other across nodes and clusters (east-west traffic) and outside endpoints (north-south traffic). As a result, a single container breach has the potential to impact every other container. Therefore, it is imperative to limit a container’s communication in adherence with least privilege principles without inhibiting your container’s functional goals. The Kubernetes network policies are used to implement the network traffic controls on the cluster and can be auto-generated based on observed traffic as shown in below image.
Configuration Management: You could apply best practices for Docker and Kubernetes to harden your environment for a more secure and stable application. The users with most cluster admin roles, embedded clear text secrets used across deployments, service accounts with cluster admin access, pod privileges and other configurations are reported based on configured policies. The principle of least privilege needed can be applied to all the clusters based on the reported findings. OpenShift Role-based access controls is used to implement the least privilege.
Vulnerability Management: Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as denial of service, remote code execution, or unauthorized access to sensitive data. RHACS can help identify and remediate vulnerabilities in software packages, container images and Kubernetes nodes across the entire software development life cycle.
Runtime Detection and Response: In RHACM rules, automated allow lists, and baselining can be used to identify suspicious activity in your running applications accurately. Actions such as failing builds and blocking deployments to killing pods and thwarting attacks using Kubernetes native controls are used for enforcement.
The complete list of functionalities and features can be seen in the Product documentation.
Integration with Third-Party systems and services
In addition, RHACM can work with many popular third party tools and services. This enhances the flexibility and it can be deployed in various tooling environments. RHACM supports integration with various:
Continuous-Integration systems
Image registries such as Amazon Elastic Container Registry, Generic Docker Registries, Google container registries, Google artifact repository, JFrog Artifactory, Microsoft Azure Container Registry, Red Hat Quay, Red Hat registry, Sonatype Nexus
Vulnerability scanners such as RHACS Scanner, Clair, Google container analysis, RedHat Quay
Notification and management systems such as PagerDuty, Slack, Service Now, Email, JIRA
Storage systems such as Google Cloud storage, Amazon S3
SIEM and analytics platforms such as QRadar, Splunk, Sumo Logic.
Summary
RedHat Advanced Cluster Security for Kubernetes delivers the next generation in container security, with a Kubernetes-native architecture that is both container-native and Kubernetes-native. RHACS integrates testing at every stage of the software development process to secure the software supply chain, infrastructure and workloads. It can run anywhere - on OpenShift, Amazon EKS, Google GKE or Azure AKS. The integration with many third party tools helps offer a comprehensive solution for implementing consistent security controls across all the Kubernetes clusters in the enterprise.