TABLE OF CONTENTS


Overview


Aqua implements a holistic approach to securing your Kubernetes applications and workloads across your Kubernetes infrastructure.



The remainder of this topic describes each of these features.


Secure the build


Image Assurance


See #1 in the diagram above.


Kubernetes applications are built as container images. The Kubernetes application build process is secured by the process known as Image Assurance, which is an essential first step toward ensuring that only secure workloads will be deployed.


The main goals of Image Assurance are to (1) evaluate your applications for compliance with the security requirements of your organization, and (2) provide you with several options for managing security-related risks. Images are scanned for security issues statically and, optionally, dynamically using Aqua Dynamic Threat Analysis (DTA).


The non-compliance of an image can be reported to a CI/CD system, which can decide to block the image from being deployed. Alternatively, Admission control based on image compliance (see below) can block non-compliant images from being deployed.


See Image Assurance for complete information.


Secure the infrastructure


It is important to secure Kubernetes infrastructure before deploying containers on it. Securing the infrastructure consists of the following activities, which can be performed continually and independently.


Configuration penetration testing


See #2 in the diagram above.


Aqua can perform automated penetration testing (pen testing) of Kubernetes clusters, using external Kubernetes APIs. To do so, Aqua Enterprise uses the kube-hunter, an Aqua Security open-source tool that hunts for security issues in Kubernetes clusters.


You can review the detailed results of kube-hunter pen testing in the Aqua Enterprise UI, in the Infrastructure area. In the table of Kubernetes clusters and hosts, click on the entry for the cluster of interest, and select the Risk tab.


Configuration hardening

See #2 in the diagram above.


The Center for Internet Security (CIS) maintains several sets of benchmarks to help organizations assess cyber-security threats. These benchmarks are based on an industry consensus of well-defined best practices.


You can configure one or more Host Assurance Policies to scan Kubernetes nodes, and evaluate them according to the Kubernetes CIS benchmark. Aqua Enterprise uses the Aqua Security kube-bench open-source tool to conduct the scanning and evaluation.


Role and subject assessment


See #2 in the diagram above.


Aqua Enterprise can be integrated with the third-party Apolicy application to assess roles and subjects (Kubernetes users and service accounts).


You can review the detailed results of Apolicy evaluation in the Aqua Enterprise UI, in the Infrastructure area. In the table of Kubernetes clusters and hosts, click on the entry for the cluster of interest, and select either the Apolicy Roles or Apolicy Subjects tab.


Kubernetes node assurance


See #3 in the diagram above.


As described in Configuration hardening above, Aqua Host Assurance can be used to scan Kubernetes nodes for compliance with CIS benchmarks.


Host Assurance can also scan Kubernetes nodes for known security issues (vulnerabilities and/or malware) and open source licenses.


Host runtime security


See #3 in the diagram above.


Aqua can monitor and restrict specified runtime activities of your hosts, using:


Secure the workloads


Workload configuration assurance


See #4 in the diagram above.


Kubernetes Assurance is a feature of Aqua Enterprise that can determine the compliance of Kubernetes pods with your organization's security requirements. You can use a wide selection of predefined Kubernetes Assurance Policies, or create your own policies using the Rego scripting language.


See Kubernetes Assurance.


Admission control based on image compliance


See #4 in the diagram above.


You can configure Container Runtime Policies with the "Block Non-Compliant Images" control. This will use Kubernetes-native admission control to block running of containers based on non-compliant images.


Admission control based on container compliance


See #4 in the diagram above.


You can also configure Container Runtime Policies with the "Block Non-Compliant Workloads" control. This will use Kubernetes-native admission control to block running of containers in pods that are not compliant with Kubernetes Assurance Policies.


Container runtime security


See #5 in the diagram above.


Once a workload (container) is deployed, Aqua can secure its runtime operation using: