Skip to content
Untitled design-Aug-30-2022-06-45-18-73-PM
Tim SmithAugust 31, 20225 min read

Full-Stack Kubernetes Security: Mondoo Operator for Kubernetes 1.0

mondoo kubernetes featured image

Protecting your Kubernetes infrastructure from attackers requires deep integration and a multilayered security solution. With our 1.0 release of Mondoo Operator for Kubernetes, Mondoo can provide continuous security for your entire Kubernetes environment.


With the 1.0 release of our open source operator, Mondoo hit a momentous milestone in our journey to deliver the most complete full-stack Kubernetes security solution available. We started our open source Mondoo Operator for Kubernetes project in January of this year.

Our aim was to give our Kubernetes customers an immediate, easy, and continuous evaluation of their cloud security posture. We knew that the only way to achieve that continuity and depth of integration was by building a native operator to integrate the Mondoo platform with Kubernetes infrastructure.

The Mondoo Operator can now continuously scan Kubernetes cluster configurations, cluster nodes, workloads, containers, and so much more.

Find vulnerabilities in your cloud account now with a free Mondoo account!

Why full-stack security is crucial to your organization

Today’s hackers are sophisticated, and so is their technology. If there’s a way to breach your system, they’ll find it. They need only one misconfiguration or vulnerability in your environment to gain the access they need to hijack your data or infrastructure or to ransom your entire operations.

Think of cloud security as a chain and each component in your infrastructure as a link. You might secure 99 out of 100 links in that chain with steel construction with the finest welding. But if just one link isn’t fortified, then the chain isn’t going to protect you.  

Mondoo CISO Patrick Münch demonstrates this truth in a short video on hacking Kubernetes.

Patrick exploits a vulnerable web application and, because of an unpatched vulnerability, gains root privileges. In a simple kill chain, one misconfiguration within the Kubernetes cluster allows him to perform a container escape and compromise the entire cluster. 

In the system Patrick hacked, there might have been strong cloud security management and asset management in place, but neither would have prevented him from penetrating the infrastructure. To be safe from an attacker like Patrick, every aspect must be secure.

Full-stack Kubernetes security with Mondoo

At Mondoo, we take a full-stack approach to securing applications deployed to Kubernetes clusters. Because security always comes down to the weakest link in the system, it's critical to secure not just our clusters or workloads but all the layers that make up the application infrastructure. Only with this layered approach to security can you ensure that application infrastructure is truly secure.

kubernetes stack

See how Mondoo provides full-stack cloud security. Request a demo.

Securing cloud infrastructure

At the base of application infrastructure is the cloud hosting our application. Mondoo’s robust cloud security integrations allow you to scan public clouds such as AWS, Azure, and Google as well as private clouds running on VMware. 

For example, with our AWS Integration, in minutes, you can set up continuous scanning across multiple accounts for your entire organization. Mondoo automatically scans cloud assets, including instances, without the need to deploy agents to any systems.

Cloud-specific policies such as the Center for Internet Security’s (CIS) AWS/Azure/Google Cloud Foundation benchmark or the Amazon Web Services Operational Best Practices policies help you lock down common cloud misconfigurations that let attackers in.

Securing cluster nodes

The core of every Kubernetes cluster is the server nodes running Kubernetes. Security teams often overlook these nodes. Misconfigurations or unpatched CVEs in the server nodes can result in a compromised cluster. A newsworthy example of this is the incident in which an unpatched Kubernetes cluster allowed attackers to compromise Tesla’s S3 buckets.

The Mondoo Operator for Kubernetes automatically discovers and scans new cluster nodes without the need to deploy an agent to the nodes. Linux Security policy by Mondoo and CIS benchmarks keep the base operating system secure and compliant for all major distributions, including Amazon Linux, Red Hat, Ubuntu, and SUSE.

Additionally, Kubernetes-cluster-specific policies from the Center for Internet Security (CIS), such as ensuring all etcd communication is encrypted or only binding services to the local host, lock down the cluster itself.

mondoo kubernetes policy view

Securing cluster configuration

With our cluster nodes secure, it’s time to move up the stack to the cluster configuration itself. The Mondoo Operator for Kubernetes continuously scans the cluster configuration, applying cluster security policies written by Mondoo and by CIS. These policies help you to secure the cluster against incorrectly configured or malicious workloads and deployments.

kubernetes cluster score

With our cluster configuration secured, let’s focus on the application deployments running on the cluster. The Mondoo Operator for Kubernetes assesses every new workload as it’s deployed.

In addition, it continuously scans Kubernetes workloads running in the cluster. So you can ensure that applications going out are secure, and also make sure they stay secure as threats evolve over time. Apply Mondoo’s security and operational best practices policies to safeguard these workloads and catch common operational mistakes.

mondoo policy score

Securing application containers

Securing the application itself doesn’t stop with just workload security. The security of the running application container is just as important. 

At their core, these container images are Linux operating system deploys, vulnerable to all the same hacks as any other Linux machine. We need to treat their security just like we would that of full server deployments. With Mondoo, you can apply base Linux OS security policies and CIS Linux distribution policies to the running container images in your cluster. These policies help you keep these application container images secure and compliant. 

Continuous scanning of running images exposes CVEs in each container. This is a critical step in securing your infrastructure, as secure applications images can be full of CVEs just days after their initial deployment.

docker platform vulnerabilities

Find vulnerabilities in your cloud account now with a free Mondoo account!

About version 1.0

Since starting the Mondoo Operator for Kubernetes project, the Mondoo team has been busy extending the functionality, ensuring stability, and squeezing every ounce of performance out of the codebase. Most notably, we added security assessment for container images, Pods, StatefulSets, DaemonSets, Jobs, CronJobs, and Deployments.

In July, after merging exactly 300 pull requests, we shipped the 1.0 release. We're incredibly excited to have reached this milestone and share our plans for this important component in securing your Kubernetes clusters.

What does 1.0 mean for me?

The 1.0 release is an important milestone in any software project. It means we're confident in the functionality and stability of the project for production use in organizations of all sizes. Additionally, since Mondoo follows Semantic Versioning, we won't intentionally break any configuration interfaces in subsequent 1.x releases. Configuration stability between minor releases makes upgrades easier without requiring stepped upgrades or configuration changes.

See for yourself

Mondoo Operator for Kubernetes is an open source software project. We invite you to explore the project and take it for a test drive. 

Mondoo is a full-stack security platform for your entire cloud and on-site infrastructure.

See how Mondoo provides full-stack cloud security. Request a demo.

avatar

Tim Smith

Tim Smith is a Product Manager at Mondoo. He’s been working in web operations and software development roles since 2007, port scanning class As since 1994, and downloaded his first Linux distro on a 14.4 modem. He most recently held positions at Limelight Networks, Cozy Co, and Chef Software.

RELATED ARTICLES

view raw