You learn from every customer, but some of the toughest requirements can come from our Intelligence Community customers. Occasionally, that group needs capabilities uniquely their own, but in the best of times, they push you in ways that benefit all your customers. Our recent developments in runtime security fall in that second camp, and we’re excited to announce their availability today. We collaborated with our IC customers along with some of our biggest enterprise customers to enhance our platform with new features that help streamline analysis, investigation, and response for runtime security events.
As companies embrace containerized, cloud-native applications, they recognize that the need for security is as paramount as ever but struggle to secure these new technologies. Since everyone is learning the new stack, no one has a roadmap for how to apply security across the various stages of the containerization journey. Each stage introduces novel security challenges, and organizations must learn both the infrastructure and the security at the same time. Understandably, security needs evolve as companies move from developing their first containerized application to doing all new development in containers and managing thousands of microservices.
One of the strengths of Kubernetes as a container orchestrator lies in its ability to manage and respond to dynamic environments. One example is Kubernetes’ native capability to perform effective autoscaling of resources. However, Kubernetes does not support just a single autoscaler or autoscaling approach. In this post, we discuss the three forms of Kubernetes capacity autoscaling. 1. Pod Replica Count For many applications with usage that varies over time, you may want to add or remove pod replicas in response to changes in demand for those applications.
By every measure, Kubernetes is dominating the container orchestration market. Our latest State of Kubernetes and Container Security report found that 87 percent of organizations are managing some portion of their container workloads using Kubernetes. The same survey shows that 94 percent of organizations have experienced a serious security issue in the last 12 months in their container environment, with 69 percent having detected misconfigurations, 27 percent experiencing runtime security incidents, and 24 percent discovering significant vulnerabilities to remediate.
In Part 1 of this series on the Open Policy Agent (OPA), we gave a brief rundown of why you might want to use the OPA Gatekeeper controller for policy enforcement in your Kubernetes clusters. We also gave a few examples of OPA’s query language, Rego, and of the Kubernetes Custom Resource Definitions (CRDs) that OPA Gatekeeper uses and creates. This follow-up post dives into practical aspects of writing and implementing OPA policies for Kubernetes clusters, demonstrating a working example that can be used to restrict a pod’s allowed tolerations of node taints.
It’s always a great feeling to learn another customer win story, but it’s especially exciting when you’re a customer in return! That’s the fun I had talking with Greenlight to learn how the company relies on StackRox to protect its Kubernetes applications. Greenlight has a cool mission: teach kids about financial literacy, encouraging them to create a budget and helping them reach savings goals. I grew up with a mother who gave me envelopes with my first allowance, and I had to distribute my four pennies across each one (labeled spend, save, gifts, and charity, in case you were wondering).
In February, we published an article providing side-by-side comparison between the managed Kubernetes offerings of the three largest cloud providers: Amazon’s Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), and Google Kubernetes Engine (GKE). The Kubernetes ecosystem changes rapidly, as do the feature sets of these managed platforms. This post covers important updates to these services made since our original comparison and our April update. Kubernetes Version Support Matrix Version AKS EKS GKE Kubernetes 1.
As the adoption of Kubernetes spreads, users have begun to look for additional options to control and secure their Kubernetes clusters. Cluster administrators tend to focus on restricting what can run in a cluster. While Kubernetes Role-Based Access Control (RBAC) provides a strong permission system, its oversight ends at the resource level, and it lacks the ability to control the configurations of specific resources. In this post, we will discuss one option for finer-grained resource controls, the Open Policy Agent (OPA) Gatekeeper project, which can complement Kubernetes RBAC.
StackRox has had Federal intelligence, military, and civilian agencies at the heart of our customer base since our inception. Our extensive work with the Department of Homeland Security, our backing from In-Q-Tel, and our work across multiple U.S. Intelligence Community agencies have shaped our product and brought additional rigor to our development process. We’re excited to extend our support for Federal entities with support for compliance checks for container security controls in NIST SP 800-53.
This is part 5 of our 5-part AWS Elastic Kubernetes Service (EKS) security blog series. Don’t forget to check out our previous blog posts in the series: Part 1 - Guide to Designing EKS Clusters for Better Security Part 2 - Securing EKS Cluster Add-ons: Dashboard, Fargate, EC2 components, and more Part 3 - EKS networking best practices Part 4 - EKS Runtime Security Best Practices EKS leaves a large portion of the responsibility for applying security updates and upgrading Kubernetes versions, and for detecting and replacing failed nodes, to the user.
Container images constitute the standard application delivery format in cloud-native environments. The wide distribution and deployment of these container images requires a new set of best practices for ensuring their integrity. While performing image scans to check for known vulnerabilities in operating systems and language packages remains a cornerstone of image security, it is only part of a larger set of security initiatives you need to employ to protect your environments.