Intelligence for Kubernetes Containers

To use Threat Intelligence on your KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster, you have to onboard it to Intelligence. For more information, see Onboarding Kubernetes Clusters to Intelligence.

With Kubernetes Intelligence, you can:

  • Visualize and analyze north-south and east-west network traffic for your Kubernetes cluster

  • Identify communications with malicious addresses

  • Monitor cross-namespace communication

  • Identify port scanning

CloudGuard provides a preconfigured Intelligence ruleset and custom queries created with a graphical GSL-based query builder.

Supported Versions

Name

Version

Kubernetes

v1.16 and higher

OS

Linux kernel v4.1 and higher

Architecture

Kubernetes Intelligence includes these components:

  • Inventory agent - A single-replica Kubernetes Deployment responsible to report inventory information on cluster resources to CloudGuard.

  • Flow Logs DaemonSet - A DaemonSet of agents that do this:

    • Interact with the underlying cluster node to monitor IP traffic between the virtual network interfaces in the cluster

    • Upload crafted logs to CloudGuard for analysis

Note - Check Point distributes agents as Helm ChartClosed A package of pre-configured Kubernetes resources that can be managed with the Helm tool. Charts provide a reproducible way of creating and sharing Kubernetes applications. A single chart can be used to deploy something simple, like a memcached Pod, or something complex, like a full web app stack with HTTP servers, databases, caches, and so on. (see https://github.com/CheckPointSW/charts) and associated DockerClosed Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers. images (see a private container registry - quay.io/checkpoint).

Rulesets and Policy

CloudGuard shows alerts for security events found in the Intelligence logs as part of the Threat & Security Events table on the Events page. To see events related to your cluster, it is necessary to configure a Kubernetes Ruleset or use the preconfigured CloudGuard-managed Kubernetes CloudGuard Best Practices ruleset. Then you set up a Policy that associates the ruleset with one or more Kubernetes clusters and assigns a notification.

Kubernetes Intelligence rulesets are equivalent to other Intelligence Rulesets (see Intelligence Security Events).

Actions

Use instructions in Intelligence Security Events for a Kubernetes cluster where an environment is mentioned.

Note - Kubernetes Intelligence does not support Audit Logs. It uses network traffic Flow Logs and Kubernetes assets data.

Known Limitations

For a full list of known limitations, see Known Limitations

More Links

Onboarding Kubernetes Clusters

Kubernetes Containers