Kubernetes Solution

“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

Containers enable DevOps to launch and manage applications with speed and consistency. However, providing strong network security controls for container-based workloads is challenging due to the differences of securing a containerized application versus one that runs on a virtual machine or bare-metal system. The key differences are:
  • Container based applications running in an overlay network are not always accessible by traditional tools.
  • Containers can connect to each other within the same host or across hosts making it difficult to discern the communication pattern between the containers vs the hosts.
  • Container IPs can change frequently making it difficult to maintain network security policies.

Kubernetes Networking Policies are analogous to security groups in the virtual machine environment, and allow for firewalling between pods running within a cluster. Customization and manual management required to implement these controls are labor intensive and time consuming due to the large number of entities in a container-based deployment. A powerful security solution should not require a team to code, write, rewrite, adjust every time a new change is introduced.


Critical Solution Requirements

1
A real-time detailed visual mapping of all Kubernetes clusters, namespaces, pods, deployment, services, and related flows
2
A method for policy organization, orchestration and automated provisioning
3
A policy monitoring, verification and enforcement system
Cloudvisory’s Security Platform (CSP) provides agentless automation vital for container-based workload security based on any category (Cluster, Namespace, Pd, Deployment, Service, logical groups and event other cloud providers).
“Automation reduces the chance of misadministration and mistakes, which are the leading causes of operations incidents, unexpected downtime and successful security attacks.”

Gartner

Clouvisory Security Platform
CSP delivers continuous monitoring, detection, and security automation for AWS environments through visibility, cloud‑native control capabilities and enforcement


Visualization

Understanding and managing the security of Kubernetes workloads can be challenging using the Kubernetes Dashboard, the kubectl, or the REST API. Getting an accurate view of the current infrastructure and any changes is very difficult without visual representations of the relationships between Clusters, Namespaces, Pods, Deployments, Services and the network flows between them. Here’s the value CSP can bring to a Kubernetes deployment.

Visualizing the Infrastructure

Kubernetes Dashboard Kubernetes Pods Kubernetes Pods

Kubernetes Dashboard is restricted to a list view of pods for a single namespace and cluster. Troubleshooting can be slow and inaccurate due to the rapidly changing environment.

Cloudvisory Visualization with CSP Visualization with CSP

CSP continuously discovers and displays the Kubernetes infrastructure components and network flows. As new pods spin up or down, the view is immediately updated.

Security Orchestration

CSP’s Security Orchestration plane simplifies the creation, organization, and control of security policies. Natural language policies are created with point and click ease and are associated to groups of workloads through labels and cluster attributes. Provisioning of these policies is automated and seamless. As the environment changes, complex calculations determine the security policy changes required to keep the environment secure.

Organization & Orchestration

Kubernetes Dashboard does not enable viewing or configuring policies. All policy creation and maintenance is manual and prone to error.

Cloudvisory Cloudvisory CSP Policy Management Cloudvisory CSP Policy Management

The Security Orchestration plane enables creation of natural language policies and the association of those policies to workloads via Infrastructure memberships and Tags and Group memberships (such as application or application tier). This orchestration plane enables automated calculation and provisioning of security policies, even as the environment undergoes change With security automation, the pace and accuracy of DevOps processing increases dramatically.

Cloudvisory Cloudvisory CSP Visual Grouping Cloudvisory CSP Visual Grouping

CSP provides visual grouping of pods and network flows based on categories, such as Application, App Tier, Governance Policy, Namespace, Service, etc. These logical groups enable granular microsegmentation of policies and real-time security updates based on changes in the environment.

Cloudvisory Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation
Cloudvisory Cloudvisory CSP Policy Creation Cloudvisory CSP Policy Creation

Creating policies in Cloudvisory can be done Policy creation and management is automated across Clusters, Namespaces, at the pod, service, or logical group level, and across other cloud providers. This enables dynamic control of the Kubernetes deployment.

Enforcement

After discovery, visualization and orchestration, CSP ensures all infrastructure, policies, and network flows remain in real-time compliance. CSP can identify unsanctioned or malicious activity, and immediately take corrective action to avoid a security breach. This is not possible with Kubernetes tools without a significant investment in people, time, coding and testing. DevOps teams can take weeks to respond to a potential threat. CSP automates this process.

Network Flows

Kubernetes does not provide visibility into workload network flows. Monitoring generally relies on legacy data center tools that are not designed to track the dynamic changes in a cloud environment

Cloudvisory Cloudvisory CSP Network Flows Cloudvisory CSP Network Flows

Cloudvisory can quickly identify non-compliant network flows and alert teams to potential threats. CSP continuously monitors security policies for needed adjustments, and alerts on non-compliant changes. Below, visual flow data specifically points out compliant and non-compliant flow details to quickly identify risk and potential malicious activity

Cloudvisory Cloudvisory CSP Flow Details Cloudvisory CSP Flow Details

Cloudvisory flow information is summarized per workload and logical group for a better understanding of the environment and faster triage of infected workloads or malicious behavior.

Related Materials