Container and Kubernetes Configuration ManagementHuman error remains a frustratingly persistent cause of the majority of security incidents. According to Gartner,

95% of cloud security failures are rooted in mistakes made by customers. As your application workloads become

more decentralized–spanning data centers owned by you and public cloud providers–and run in containers and

Kubernetes using microservices architecture, the risk of a misconfigured component exposing you to a security

incident grows.

Several factors contribute to this increased risk:

• Kubernetes ships with its settings open by default, to enable faster development and deployment. Providing all

assets with full communications is great for building apps, but it’s far from secure. Or role-based access control

(RBAC), might not be enabled at all, or it could be configured in a way that’s highly risky. Examples include:

› The default GKE cluster control plane and nodes can be accessed from any IP address.

› When creating a new cluster in EKS, an endpoint is created for the managed Kubernetes API server, which by

default is public to the Internet. Access to the API server must be secured using a combination of AWS IAM

and native Kubernetes RBAC.

› Overuse of ClusterRoles and ClusterRoleBindings that gives global access across all namespaces.

• Containers similarly have a lot of components that must be configured appropriately to deliver high security.

• Following configuration best practices becomes even more difficult in hybrid environments where you use a

public cloud provider’s managed Kubernetes service along with self-managed Kubernetes deployed in your own

data center on-premises. Each environment presents a different set of responsibilities for configuration.

In today’s DevOps driven, application development environment, configuration management must be as automated

and streamlined as possible for it to be effective. It should be comprehensive, covering containers, Kubernetes, and

all their configurable components, including:

• RBAC

• Secrets

• Network policies

• Privilege levels

• Resource limits/requests

1

• Read-only root file systems

• Annotations, labels

• Sensitive host mount and access

• Image configuration, including provenance

Solution Brief

Configuration management purpose-built for DevOpsThe StackRox Kubernetes Security Platform is built from the ground up to protect containerized workloads running

in Kubernetes. StackRox offers a fully automated configuration management solution that provides comprehensive

visibility into all of your Kubernetes and container assets and how they’re configured. StackRox also provides

out-of-the box policy templates to ensure your environment is configured securely and adheres to industry best

practices such as those laid out in the CIS benchmarks.

Kubernetes Role-Based Access Control (RBAC) assessment

StackRox analyzes Kubernetes RBAC to give you

granular visibility into all the permissions and

privileges given to your users, groups, or service

accounts, also known as subjects. We simplify RBAC

assessment by providing you a single view of all

permissions associated with your subjects regardless

of how many Roles or ClusterRoles are associated

with them. We use this information to identify

instances of overly permissive misconfigurations that

pose significant risk.

Alternatively, you can analyze each role (or

ClusterRole) separately to determine which subjects

are associated with each role and the permissions

given to each role, including which actions (or verbs)

can be taken against what API resources. These

checks will allow you to quickly identify instances of

misconfigured or unnecessary roles.

Kubernetes secrets monitoring

StackRox identifies secrets used in your environment

and how they’re configured to determine whether

they’re distributed too broadly across too many

deployments or have expired. With StackRox you can

proactively limit unnecessary secrets access and

prevent unwanted exposure.

2

Policy-based configuration assessment

StackRox scans your environment against prebuilt configuration policies and detects policy violations including:

• Images that haven’t been scanned recently (or ever) or are pulled from untrusted registries

• Network exposure from insecure network communications

3

• Containers running with risky

privileges, lacking resource

constraints, or using read/write

filesystems

• Secrets mounted as environment

variables

• Deployments missing required

labels and annotations

• Deployments mounting sensitive

host directories

You can readily build new policies,

often cloning existing policy templates

and editing them to meet your unique

security needs.

Automated policy enforcement

StackRox integrates with your CI/CD

pipeline to provide build-time

enforcement capabilities to ensure

misconfigurations are caught as early

as possible. You can augment these

controls with deploy-time enforcement

such as using dynamic admission

controls.

Request a demo today!

info@stackrox.com+1 (650) 489-6769www.stackrox.com

StackRox helps enterprises secure their containers and Kubernetes environments at scale. The

StackRox Kubernetes Security Platform enables security and DevOps teams to enforce their

compliance and security policies across the entire container life cycle, from build to deploy to

runtime. StackRox integrates with existing DevOps and security tools, enabling teams to quickly

operationalize container and Kubernetes security. StackRox customers span cloud-native start-

ups Global 2000 enterprises, and government agencies.

LET’S GET STARTED

©2020 StackRox, Inc. All rights reserved.

More than configuration managementThe StackRox Kubernetes Security Platform provides full life cycle security for containers and Kubernetes.

StackRox addresses critical security uses cases that go beyond configuration management including:

• Visibility - provides comprehensive visibility into images, registries, containers, deployments, and

runtime behavior

• Vulnerability management - goes beyond CVE scoring and image scanning to enforce full lifecycle

vulnerability management, from build and deploy, to runtime

• Compliance - helps ensure adherence to CIS benchmarks for Kubernetes and Docker as well as NIST,

PCI, and HIPAA

• Network segmentation - leverages native controls in Kubernetes to isolate assets, block deployments,

or kill pods

• Risk profiling - provides a stack-ranked list of all deployments with risk factors that identifies riskiest

deployments in need of immediate remediation

• Runtime threat detection - employs rules, whitelists, and baselining to accurately detect and prevent

suspicious/malicious activities

• Incident response - enables policy enforcement and incident response in real-time, from alerting to

killing pods to thwarting attacks during runtime

Ready to see StackRox in action?Get a personalized demo tailored for your business,

environment, and needs.