Kubernetes Solution


Containers enable software developers and operations teams to launch and manage applications with speed and consistency. However, providing strong network security controls for container-based workloads is challenging due to the differences of securing a containerized application versus one that runs on a virtual machine or bare-metal system. The key differences are:
  • Container based applications running in an overlay network are not always accessible by traditional tools.
  • Containers can connect to each other within the same host or across hosts making it difficult to discern the communication pattern between the containers vs the hosts.
  • Container IPs can change frequently making it difficult to maintain network security policies.

Kubernetes Networking Policies are analogous to security groups in the virtual machine environment, and allow for firewalling between pods running within a cluster. When used properly, with a supporting networking plugin (such as Calico, Romana, or Weave Net), these security controls can be very powerful. However, the customization and manual management required to implement these controls are labor intensive and time consuming due to the large number of entities in a container-based deployment. A powerful security solution must not require a team to code, write, rewrite, adjust… and repeat the process every time a new change is introduced. As Gartner points out, to keep up with the pace of change and threats in a cloud infrastructure, you must move to security automation. A complete Kubernetes security solution must provide:

Critical Solution Requirements

1
A real-time detailed visual mapping of all Kubernetes clusters, namespaces, pods, deployment, services, and related flows
2
A method for policy organization, orchestration, and automated provisioning
3
A policy monitoring, verification and enforcement system
Cloudvisory’s Security Platform (CSP) provides continuous monitoring and detection of container-based workloads, changes, and events while automating the security rules to properly micro-segment and secure a Kubernetes environment. CSP provides visual grouping of workloads based on any category (Cluster, Namespace, Pod, Deployment, Service, logical groups and even other cloud providers) to enable granular policy micro-segmentation and immediate updates to changes in the Kubernetes environment, or multi-cloud hybrid environments. CSP can quickly identify rogue or malicious activity and take corrective action to halt a malware risk, returning the environment to a compliant and safe state. CSP is agentless, and requires no changes to your hosts, container engine, orchestrator, or applications.

CSP delivers continuous monitoring, detection, and security automation for Kubernetes environments with:

Visualization   Visibility  

Understanding and managing the security of Kubernetes workloads can be challenging using the Kubernetes Dashboard, the kubectl, or the REST API. Getting an accurate view of the current infrastructure and any changes is very difficult without visual representations of the relationships between Clusters, Namespaces, Pods, Deployments, Services and the network flows between them. Here’s the value CSP can bring to a Kubernetes deployment.

Visualizing the Infrastructure

Kubernetes Dashboard Kubernetes Pods

Kubernetes Dashboard is restricted to a list view of pods for a single namespace and cluster. Troubleshooting can be slow and inaccurate due to the rapidly changing environment.

Cloudvisory Kubernetes Pods

CSP continuously discovers and displays the Kubernetes infrastructure components and network flows. As new pods spin up or down, the view is immediately updated.


Control   Control  

CSP’s Security Orchestration plane simplifies the creation, organization, and control of security policies. Natural language policies are created with point and click ease and are associated to groups of workloads through labels and cluster attributes. Provisioning of these policies is automated and seamless. As the environment changes, complex calculations determine the security policy changes required to keep the environment secure.

Organization & Orchestration

Kubernetes Dashboard does not enable viewing or configuring policies.
All policy creation and maintenance is manual and prone to error.

Cloudvisory Kubernetes Pods

The Security Orchestration plane enables creation of natural language policies and the association of those policies to workloads via Infrastructure memberships and Tags and Group memberships (such as application or application tier). This orchestration plane enables automated calculation and provisioning of security policies, even as the environment undergoes change With security automation, the pace and accuracy of DevOps processing increases dramatically.

Cloudvisory Kubernetes Pods

CSP provides visual grouping of pods and network flows based on categories, such as Application, App Tier, Governance Policy, Namespace, Service, etc. These logical groups enable granular micro-segmentation of policies and real-time security updates based on changes in the environment.

Cloudvisory CSP Policy Creation
Cloudvisory CSP Policy Creation

Creating policies in Cloudvisory can be done Policy creation and management is automated across Clusters, Namespaces, at the pod, service, or logical group level, and across other cloud providers. This enables dynamic control of the Kubernetes deployment.


Enforcement   Compliance  

After discovery, visualization and orchestration, CSP ensures all infrastructure, policies, and network flows remain in real-time compliance. CSP can identify unsanctioned or malicious activity, and immediately take corrective action to avoid a security breach. This is not possible with Kubernetes tools without a significant investment in people, time, coding and testing. DevOps teams can take weeks to respond to a potential threat. CSP automates this process.

Network Flows

Kubernetes does not provide visibility into workload network flows. Monitoring generally relies on legacy data center tools that are not designed to track the dynamic changes in a cloud environment.

Cloudvisory Cloudvisory CSP Network Flows

CSP quickly identifies non-compliant network flows and alerts teams to potential threats. Visual flow data details compliant and non-compliant flow to quickly identify risk and potential malicious activity.

Cloudvisory Cloudvisory CSP Flow Details

Cloudvisory flow information is summarized per workload and logical group for a better understanding of the environment and faster triage of infected workloads or malicious behavior.

Summary

Cloudvisory Security Platform – a single, integrated, end-to-end platform for discovery, prevention, detection, and remediation – can help secure Kubernetes environments, public/private cloud providers and legacy datacenter infrastructures.


Related Materials