How To

Kubernetes Security Posture Management

Detect and respond to Kubernetes configuration drift in real-time with Guardrails.

Turbot Team
6 min. read - May 14, 2024
Detect and respond to Kubernetes configuration drift in real-time with Guardrails.

When managing cloud configurations, Cloud Security Posture Management (CSPM) has become a well-known approach for identifying and remediating security and compliance issues in cloud environments. As more organizations adopt Kubernetes for their containerized workloads, a similar need arises for managing the security posture of Kubernetes clusters. Enter Kubernetes Security Posture Management (KSPM), a critical component of a Cloud-Native Application Protection Platform (CNAPP) strategy. KSPM solutions continuously monitor Kubernetes clusters, enforce security best practices, and detect policy violations. By automating the discovery and remediation of misconfigurations and compliance issues, KSPM helps organizations maintain a strong security posture across their Kubernetes deployments.

Turbot Guardrails now expands its CSPM and CNAPP solutions for AWS, Azure, GCP, and ServiceNow, with KSPM guardrails for Kubernetes.

Kubernetes Security Posture Management with Turbot Guardrails

Turbot Guardrails evaluates your Kubernetes resources as run-time changes occur, instantly assesses them for compliance, and provides a view of your security posture that's always current

Key Features of Turbot Guardrails' KSPM:

  • Real-Time Configuration Discovery: Guardrails seamlessly integrates with your Kubernetes clusters, automatically discovering all configurations in real-time. This provides a comprehensive inventory of your Kubernetes assets, enabling you to track, search, and visualize changes across your clusters and subservices such as ConfigMaps, Deployments, Namespaces, Nodes, Pods, ReplicaSets, etc.
  • Continuous Policy Evaluation: With Guardrails' powerful policy engine, your Kubernetes configurations are continuously evaluated against predefined security, compliance, and operational best practice policies. Any deviations or policy violations are instantly detected. Now you have real-time visibility into your Kubernetes security and operations posture.
  • Instant Alerts and Notifications: When a policy violation or security issue is identified, Guardrails generates instant alerts and notifications. These can be sent to the Guardrails console, email, Slack, MS Teams, or any API endpoint, ensuring that your team is immediately informed and can take swift action to remediate the issue.
  • Comprehensive CSPM + KSPM coverage: Guardrails integrates with any Kubernetes cluster, regardless of where its hosted. In addition Guardrails provides extensive security and operational controls for AWS, Azure, GCP, and ServiceNow, so you can centralize your security posture management efforts across your entire cloud infrastructure + Kubernetes clusters.

How to enable KSPM Guardrails

Install the Kubernetes mod

To get started, install the @turbot/kubernetes mod.

Connect your first Kubernetes cluster

Guardrails can connect with your Kubernetes cluster regardless of where it's hosted: in a cloud service provider (e.g. AWS, Azure, GCP), on-premise, or local to your device.

Once the mod is installed, your Account Import page will now have an option to connect your Kubernetes clusters to Turbot Guardrails. The connect screen will generate a script to set up or derive your own to setup the Guardrails Kubernetes agent in your Kubernetes cluster using kubectl and Helm. The enrollment secret can be generated via the API as well, and automatically rotate based on your defined enrollment secret expiration policies.

Connect a Kubernetes cluster to Guardrails

Guardrails will immediately discover the Kubernetes cluster and its related subservices such as ConfigMaps, Deployments, Namespaces, Nodes, Pods, ReplicaSets, etc. This will instantly update the Guardrails Configuration Management Database (CMDB) with the current configurations in run-time.

Kubernetes cluster configurations in Guardrails CMDB

Assess your security and ops posture

Guardrails will detect and alert on security misconfigurations in your Kubernetes resources. What's more, it can check for operational best practices like correctly-provisioned and properly-labeled resources.

Security posture

A critical aspect of Kubernetes security posture management is detecting security misconfigurations. One common misconfiguration is running containers with privileged mode enabled. Privileged mode is a security context setting in Kubernetes that grants a container extensive permissions on the host system, essentially bypassing most security restriction which is a significant security risk because it increases the attack surface, weakens container isolation, and allows containers to perform privileged operations on the host.

Once the cluster was connected to Guardrails, Guardrails instantly checked whether the nginx-deployment resource was configured with securityContext: true.

Kubernetes deployment with privileged access alert

Operational best practices

Guardrails continuously monitors any Kubernetes configuration drift, including ReplicaSets. Guardrails' policies to assess Approved configurations can be customized for any use case. For example, let's say you have a policy requiring ReplicaSets to be configured with 2 - 20 replicas. Using the Kubernetes > ReplicaSet > Approved > Custom policy we can configure a template of custom thresholds and alert messages.

Kubernetes ReplicaSet Approved Policy

When the number of replicas drops from 3 to 1, Guardrails will detect this drift immediately and capture the diff history in the CMDB.

Kubernetes ReplicaSet Configuration Drift

As the CMDB is updated, Guardrails identifies that the replicas are below the minimum size requirements:

Kubernetes ReplicaSet Configuration Alert

Instant Guardrails alerts

In addition to alerts in the Turbot Guardrails console, you and your team members can subscribe to alerts via email, MS Teams, or Slack.

The alerts shown above also went to to Slack, so the team can know immediately and react.

Kubernetes Configuration Alerts in Slack

See it in action

Elevate your Kubernetes security posture with Turbot Guardrails

Kubernetes Security Posture Management (KSPM) is an essential aspect of a robust CNAPP strategy to proactively identify and mitigate security risks in their Kubernetes clusters.

With Turbot Guardrails' KSPM capabilities, you can automate the discovery, evaluation, and remediation of security and compliance issues. Real-time configuration drift detection, continuous policy evaluation, real-time syncing to ServiceNow and instant alerts provide the visibility and control needed to maintain a strong security and operational best practices posture.

Get started with a 14-day free trial of Turbot Guardrails to experience KSPM Guardrails for your Kubernetes deployments.