Intelligence for Kubernetes Containers

To use Threat Intelligence on your KubernetesClosed cluster, you have to onboard it to Intelligence. For more information, see Onboarding Kubernetes Clusters to Intelligence.

With Kubernetes Intelligence, you can:

  • Visualize and analyze north-south and east-west network traffic for your Kubernetes cluster

  • Identify communications with malicious addresses

  • Monitor cross-namespace communication

  • Identify port scanning

CloudGuard provides a preconfigured Intelligence ruleset and custom queries created with a graphical GSL-based query builder.

Supported Versions

Name

Version

Kubernetes

v1.16 and higher

OS

Linux kernel v4.1 and higher

Architecture

Kubernetes Intelligence includes these components:

  • Inventory agent - A single-replica Kubernetes Deployment responsible to report inventory information on cluster resources to CloudGuard.

  • Flow Logs DaemonSet - A DaemonSet of agents that do this:

    • Interact with the underlying cluster node to monitor IP traffic between the virtual network interfaces in the cluster

    • Upload crafted logs to CloudGuard for analysis

Note - Check Point distributes agents as Helm ChartClosed (see https://github.com/CheckPointSW/charts) and associated DockerClosed images (see a private container registry - quay.io/checkpoint).

Rulesets and Policy

CloudGuard shows alerts for security events found in the Intelligence logs as part of the Threat & Security Events table on the Events page. To see events related to your cluster, it is necessary to configure a Kubernetes Ruleset or use the preconfigured CloudGuard-managed Kubernetes CloudGuard Best Practices ruleset. Then you set up a Policy that associates the ruleset with one or more Kubernetes clusters and assigns a notification.

Kubernetes Intelligence rulesets are equivalent to other Intelligence Rulesets (see Intelligence Security Events).

Actions

Use instructions in Intelligence Security Events for a Kubernetes cluster where an environment is mentioned.

Note - Kubernetes Intelligence does not support Audit Logs. It uses network traffic Flow Logs and Kubernetes assets data.

Known Limitations

For a full list of known limitations, see Known Limitations

More Links

Onboarding Kubernetes Clusters

Kubernetes Containers