Implementing Aqua Security to Secure Kubernetes

Despite the maturity of the platform, security is still a big challenge for Kubernetes users. While Kubernetes offers maximum flexibility, modularity, and ease of use in other areas, the complex nature of Kubernetes-based environments means securing the cloud environment completely is a complex task to complete.

There are a lot of tools and services that focus on improving security for Kubernetes. Aqua Security, however, is the most comprehensive one on the market. (If you haven’t heard of Aqua Security yet, read my previous blog article here.) Using tried and tested technology, Aqua Security is capable of securing the entire Kubernetes environment with a holistic approach. It is an all-in-one Kubernetes security tool.

How Aqua Security Works

Aqua Security sees Kubernetes security from a holistic point of view. It integrates three primary components into its set of tools, allowing Kubernetes users to basically ensure maximum security at every turn.

The first component is Aqua Security’s threat assessment tool known as kube-bench — a CIS compliance tool, which performs in-depth analysis of your Kubernetes environment. The tool integrates more than 100 tests and security metrics, so you get a clear picture of how well the environment is secured at the end of the process.

On the other side of the threat assessment equation lies kube-hunter, another open-source tool that handles penetration tests and looks for known attacks. Similar to kube-bench, kube-hunter relies on known attack vectors and information on your environment’s attack surface. The result of the tests are known vulnerabilities that you can patch right away.

The second component is an image deployment control. This is a straightforward component; it basically scans the images you deploy to the Kubernetes clusters to make sure that no malicious code or malware has been injected into the environment. Only approved images are allowed to be deployed, and control over the approval process is tightly managed. You can optimize both static and dynamic Docker image analysis with the microscanner. 

The third and last component is application-level protection, meaning this is the part that handles the security of running nodes and processes inside your Kubernetes clusters. The component is advanced enough to perform complex security tasks, such as access level profiling, intrusion and anomaly detection, and more.

These components get implemented as a full lifecycle security solution, which makes the solution from Aqua Security even more interesting.

Implementing Aqua Security

One of the biggest advantages of using Aqua Security is simplicity in implementation. Instead of making security a complex component, Aqua Security utilizes tools that can run inside your Kubernetes clusters, GUI for easy management, and seamless integration with existing services, like AWS EKS. It is capable of performing automating environment node discovery and mapping too, which means the initial setup is incredibly easy.

Aqua also provides an operator, which is the Kubernetes way of handling custom domain knowledge, AKA, the easy way to install and manage complex apps.

Implementation begins with acquiring Aqua username and password, along with the Aqua CSP license token. You can easily create a CSP registry secret and then clone the aqua-helm from github. As an alternative, you can also install the Aqua container image although this isn’t a suitable approach for permanent, long-term use.

Aqua needs a server, a database, and a gateway to operate, so these are the next things to prepare. You can configure localhost access to Aqua and define a port forwarding if needed. Once the process is completed, you have access to Aqua CSP for further management of Kubernetes security. One last step to take before you can fully move to Aqua Security’s GUI is installing the Aqua enforcer.

Aqua Server becomes the main management console for your Kubernetes security. Remember that you can have multiple Aqua servers handling specific clusters, so integrating Aqua with CI/CD tools or other workflows is certainly easy. Once you open the console, the first thing you want to do is perform a complete risk assessment.

This process begins with the automatic discovery of all running workloads. Go to Risk Explorer and let Aqua do its job. You will see a visual map of your cluster—including the different namespaces and the controllers you have running within the environment—on the screen. The risk level and recommendations for each image are also displayed.

Switching the risk assessment from one-time to ongoing integrates Aqua Security into your CI/CD pipeline. All images will be scanned and reviewed before they can be deployed. Aqua Security will also scan OS packages, including Ruby, Python, and other language packages. Even CI tools like Jenkins are fully supported.

Images give you a real-time view of your containers, while Services focus more on groups of containers that handle specific tasks or functions. You can have multiple containers performing a similar function (basically a service) can be configured as one. Security becomes easier to manage when it is defined on a service level.

Run-time enforcement settings let you fine-tune how you want to monitor and manage images. You can, for instance, define how images are moved from staging to production. Flags and warnings are issued when parameters are not met. Plus, you can still rely on your orchestration tools without lowering your security level.

Role-based access control or RBAC adds a layer of security to the cluster. Aqua Security automates the process of identifying the least privilege required for images and services to run. Privileges that are not needed — especially those that can potentially be exploited — are automatically removed. Granular user and service access management is also available.

An invaluable feature of Aqua Security is its real-time workload visibility. Constant and continuous monitoring allows the security tool to maintain complete visibility of your Kubernetes containers. Runtime controls, anomaly detection, and workload identification are performed automatically without disrupting processes.

Anomaly detection includes intrusion detection and workload anomaly detection. Combined with strict RBAC and the built-in firewall offered by Aqua Security, you can secure your Kubernetes clusters against most — well, a vast majority — of attacks without going through the usually-complex process of setting up each security measure manually.

A Growing Tool

One of Aqua Security’s most redeeming features is that it is constantly being revised and improved to keep it up to date. The database of attack vectors, for example, is regularly adapted to meet market challenges. The same is true with other features and tools integrated into the Aqua Security suite.

If you are looking for a way to secure Kubernetes clusters in an easy way, Aqua Security is a solution to try. It is easy to implement and simple to maintain in the long run.