Skip to content
Tim Smith October 26, 2022 4 min read

You Asked, We Delivered! Full-Stack Kubernetes Security

Mondoo_graphics_Full Stack Kubernetes Security-01-1

Mondoo's new full-stack Kubernetes security answers with unrivaled detail and clarity: Can your Kubernetes infrastructure withstand attack? 

Our long list of added capabilities includes:

  • Expanded CI/CD platform support
  • GitHub Actions integration
  • Container image vulnerability scanning
  • Kubernetes asset relationship exploration
  • New policies based on Kubernetes benchmarks from the Center for Internet Security (CIS) and United States National Security Agency (NSA)
  • … and many more!

Complexity and constant change make Kubernetes infrastructure increasingly difficult to secure. By revealing the relationships between overlapping technology layers and exposing risks through the entire development cycle and in production, Mondoo eases your Kubernetes security pains.

We listened to the Kubernetes community

Back in May, the Mondoo team traveled to KubeCon EU in Valencia, Spain, armed with an initial Kubernetes security offering and a dream of making it easy to secure Kubernetes environments. As adopters of Kubernetes ourselves, we already had ideas for new capabilities to add. But when it comes to building products, it's far more important to listen than it is to talk. We couldn’t wait to meet the EU Kubernetes community and hear about their experiences and challenges. 

As Red Hat recently reported, nearly 93% of organizations adopting Kubernetes have experienced a security incident in the past 12 months; the KubeCon attendees were eager to share their struggles. We learned that they faced day-to-day hurdles that made securing clusters difficult with their existing tooling. 

Most attendees ran their Kubernetes clusters in cloud environments like AWS, Azure, or GCP. They faced the difficulty of tool sprawl: Assessing their Kubernetes security posture required one toolset, while identifying risks in the cloud infrastructure that Kubernetes runs on required another. Because their tooling didn't combine these infrastructure needs into a complete security solution, internal adoption was low.

KubeCon attendees also struggled with traditional Kubernetes security tooling's heavy focus on container images in container registries only. Users wanted to see the security stance of container images actively running in their clusters, as opposed to the security of legacy apps that hadn’t run for months. 

Operations and security engineers had difficulty collaborating with their application engineer peers to improve security. Operations and security teams were responsible for the security of clusters, but they lacked the power to enact change. Securing workloads required collaboration and buy-in from development teams, but those teams weren’t aware of security standards or scan results.

Addressing the new challenges in Kubernetes security

Today, we’re introducing a number of significant enhancements to Mondoo’s full-stack Kubernetes security offering that allow you to continuously secure your complete Kubernetes infrastructure from development all the way to production:

  • Scan Kubernetes manifests and Docker images in development.
  • Test Kubernetes security in popular CI systems, including a new CI/CD UI experience.
  • Check the security of all deployments entering your cluster using the Mondoo admission controller.
  • Continuously scan your cluster with Mondoo's Kubernetes operator for up-to-date visibility into the security of your infrastructure and applications.
  • Browse your cluster with our new asset relationship UI to understand the effects of interdependent resources.
  • Discover all running container images in your cluster.
  • Ensure the security of container images as new CVEs are discovered daily in applications and operating systems.
  • Automatically discover and scan AWS resources to secure the infrastructure your cluster runs on.
  • Apply industry best practices for security and compliance with new CIS EKS/AKS/GKE Benchmarks, a new NSA Kubernetes Hardening Guide Version 1.2 policy, and expanded policies from Mondoo.

Securing infrastructure before production

One of the top concerns we heard from operations professionals was the inability to evaluate the security of changes before they reach production environments. Operations teams told us that they struggled with the lightning pace of development and deployment and could no longer security-test changes before they went into production clusters. 

To save these teams from the avalanche of new changes, we’ve expanded Mondoo's ability to integrate into CI pipelines. Mondoo flags insecure workflows early in the development cycle:

  • The new Mondoo GitHub Action verifies Kubernetes manifests, Docker images, Terraform plans, and Terraform state files in the pipeline.
  • Our verified HashiCorp plugin secures base images for K8s nodes with Packer and Mondoo.
  • We extended support for Kubernetes manifests, including discovering all nested resources.
  • We enhanced supply-chain security for GitHub by adding scanning of GitHub organizations and repositories.
  • An all-new CI/CD view shows build-time changes in our console. 

In addition to these new features, we also deliver unique security policies to get you started quickly:

  • Terraform HCL Security Static Analysis for AWS by Mondoo 
  • Terraform HCL Security Static Analysis for Google Cloud by Mondoo
  • CIS Software Supply Chain Security Guide for GitHub for Terraform Plan
  • CIS Google Cloud Platform Foundation Benchmark

Secure your business-critical infrastructure before it reaches production. Sign  up for a free Mondoo account.

From build time to continuous validation

Many Kubernetes users have asked us how we make continuous assessment of the cluster state so easy. Our CLI supports scanning Kubernetes remotely and our operator makes it a snap to transition from a single scan to continuous scanning. Here's how:

  • Our continuous scanning relies entirely on Kubernetes-native methods.
  • We provide a full cluster view and can scan container images that require pull secrets.
  • The operator is self-updating, which minimizes operational overhead.
  • The operator fully integrates with the Mondoo Console for up-to-the-minute reporting.

Find anything. Secure everything.

We listened to Kubernetes users and delivered a solution that addresses their unique challenges: Mondoo's new full-stack Kubernetes security provides visibility, ease, and integration that no other security solution can offer.

Try it for yourself! Sign up for a free account.

avatar

Tim Smith

Product Manager, Software Developer, Operations Engineer and passionate open source advocate with over a decade of direct involvement in open source projects and communities.