Securing Kubernetes on GCP
Full lifecycle security across build, deploy, and runtime phases for your Kubernetes workloads on GCP
Security for Kubernetes and Istio on Google Cloud Platform
StackRox provides full life cycle security across build, deploy, and runtime phases for your Google Kubernetes Engine (GKE), Google Compute Engine (GCE), or Anthos environments. Alternatively, use StackRox to enforce security policies for GKE with Cloud Run. Available on the GCP Marketplace, StackRox enables customers to protect their cloud-native infrastructure from vulnerabilities and misconfigurations, gain visibility and compliance for Istio services, adhere to external and internal policies, and detect and stop threats at runtime.
Integration with Google Cloud Security Command Center
Our Cloud SCC integration identifies security risks and real-time threat detection results in Google Kubernetes Engine (GKE) clusters and sends them to Cloud SCC. Cloud SCC then makes those findings available in one place alongside problems with other cloud resources across the customer’s Google Cloud deployments. We make the most important information available right in the familiar Google Cloud Console, and users can easily return to StackRox to dig in deeper on investigation and response.
Protect your containers against vulnerabilities from the time images are built until they’re deployed and running. StackRox can block vulnerable images from being deployed and integrates with your approved registries, including Google Container Registry (GCR), for granular policy enforcement. StackRox also provides extensive support for Google Container Analysis (GCA) and other third-party scanners, including Anchore, Clair, and Tenable, to augment your existing image scanning tools.
StackRox gives me visibility into all my systems. We’re running a bunch of different application stacks, and StackRox shows me what’s going on across them.
StackRox provides comprehensive network security for GKE or Kubernetes on GCP. Leverage our network graph to see your allowed vs. active network traffic across deployments. We integrate with any Container Network Interface to leverage the power of GKE for network policy enforcement. Use StackRox to simulate and apply changes to network segmentation policies, and automatically generate updated YAML files based on behavioral modeling of active traffic to tighten overly permissive Kubernetes network policies.
Continous compliance with CIS benchmarks and beyond
StackRox provides industry-leading compliance capabilities to help ensure adherence to CIS Benchmarks for Docker and Kubernetes as well as NIST, PCI, and HIPAA. Use our policy templates to instantly generate audit reports and effortlessly identify non-compliant clusters, nodes, or namespaces on GKE or GCP.
StackRox leverages its Kubernetes-native architecture to apply rich context for configuration management, spanning containers, images, deployments, and GKE. With StackRox, organizations can identify and remediate misconfigurations such as exposed secrets, excessive privileges, and unnecessary network reachability. Leverage pre-built policy templates or create custom policies to prevent builds or deployments that don’t meet your security, compliance, or DevOps best practices requirements.
Runtime detection and response
StackRox combines behavioral modeling with rules, whitelisting, and baselining to detect and prevent runtime threats on GKE or Kubernetes on Google Compute Engine and Anthos. StackRox identifies threats as they occur across several critical areas, including process execution, network connections and flows, and privilege escalation. Use our out-of-the-box policies and automated policy enforcement or build custom policies that combine industry standards with your own company’s internal policies.
Risk prioritization at scale
Use StackRox to automatically profile and prioritize risks across every GKE deployment. Unlike other security solutions, StackRox goes beyond image scanning to combine CVE details with other risk factors, such as deployment misconfigurations including exposed secrets or insecure network policies, runtime anomalies, and other contextual information to identify the top issues that need immediate remediation.