Sometimes when you're running Kubernetes workloads in AWS using EKS, it feels like Amazon is doing your job for you. EKS abstracts away much of the complexity in day-to-day Kubernetes infrastructure management.
Tasks like configuring, tuning, and even securing the Kubernetes control plane become an Amazon problem and not a you problem. Unfortunately, when it comes to security, you’re not off the hook. While Amazon's team of security experts are managing your control plane, the rest of your cluster security is still your responsibility.
Just like you wouldn't consider your cloud infrastructure safe just because you've secured an ALB, your Kubernetes infrastructure isn't safe either. Securing etcd and other control plane components is not enough to guarantee safety. Security always comes down to the weakest link in the system. It is therefore critical to safeguard the control plane, cluster nodes, workloads, and even running containers.
At Mondoo we’ve built a layered approach to Kubernetes protection that we call full-stack Kubernetes security. We monitor:
Only with this layered approach can you ensure that your application infrastructure is truly secure.
Mondoo provides full-stack Kubernetes security for your EKS clusters using our Mondoo Kubernetes Operator. The operator runs in the background on your EKS cluster to scan cluster nodes, cluster configuration, individual workloads, and running containers. This insight provides a layered security approach to help secure your EKS cluster. It also helps to secure the workloads that your application teams are deploying to the cluster.
The operator also includes an optional Kubernetes admissions controller that scans all new or updated workloads that enter your cluster. The admission controller gives you visibility into the security of newly deployed workloads in addition to the state of existing running cluster workloads.
To start scanning your cluster, visit https://console.mondoo.com and create a free account. You can log in using your Google, Microsoft, or GitHub account. Once you’re logged in, our trusty mascot, Ada, will help you start scanning your infrastructure.
Select BROWSE INTEGRATIONS to see a list of integrations you can use to scan your infrastructure with Mondoo. Our top three recommended integrations help you get started securing your AWS and EKS infrastructure.
To configure the integration, we’ll provide a name and select which components of our cluster we want to scan. Since we’re interested in securing the complete cluster, we’ll leave the defaults for our prod-eks integration.
Selecting CREATE, You’ll receive a command to run to install the operator and create a Kubernetes secret to store Mondoo platform credentials.
Once set up, Mondoo will also recommend policies to help you secure your systems. By default, Mondoo applies our out-of-the box cluster/workload security and best practice policies. You can also enable Center for Internet Security (CIS)-certified EKS policies and NSA security policies.
With your policies enabled, Mondoo will now scan your cluster and report cluster and workload security results.
Once the operator has scanned your cluster, you’ll find a number of assets in the Fleet tab.
These assets include the Kubernetes cluster itself (and workloads), the operating systems that run your cluster, and the containers running in the cluster. You can dive deeper into each of these high-level categories to see different groups of scanned assets.
For example, under Kubernetes, you can view all deployments to get a quick snapshot of your deployment security.
Select any of these deployments for a detailed view. This view will include the asset's security, such as the top vulnerabilities, policy scores, and individual controls. Our example luna/frontend deployment has several critical issues such as the container running as root, which could be used as part of a container escape attack. Each control details the workload security violation and instructions on securing the workload.
Rely on Mondoo to secure all aspects of your Amazon cloud environment. From instances to Kubernetes, from buckets to APIs, Mondoo finds vulnerabilities and misconfigurations that put your organization at risk.