Intelligence for Kubernetes Containers
To use Threat Intelligence on your Kubernetes cluster, you have to onboard it to Intelligence. For more information, see Onboarding Kubernetes Clusters to Intelligence.
With Kubernetes Intelligence, you can:
-
Visualize and analyze north-south and east-west network traffic for your Kubernetes cluster
-
Identify communications with malicious addresses
-
Monitor cross-namespace communication
-
Identify port scanning
CloudGuard provides a preconfigured Intelligence ruleset and custom queries created with a graphical GSL-based query builder.
Supported Versions
Name |
Version |
---|---|
Kubernetes |
v1.16 and higher |
OS |
Linux kernel v4.1 and higher |
Architecture
Kubernetes Intelligence includes these components:
-
Inventory agent - A single-replica Kubernetes Deployment responsible to report inventory information on cluster resources to CloudGuard.
-
Flow Logs DaemonSet - A DaemonSet of agents that do this:
-
Interact with the underlying cluster node to monitor IP traffic between the virtual network interfaces in the cluster
-
Upload crafted logs to CloudGuard for analysis
-
|
Note - Check Point distributes agents as Helm Chart |
Rulesets and Policy
CloudGuard shows alerts for security events found in the Intelligence logs as part of the Threat & Security Events table on the Events page. To see events related to your cluster, it is necessary to configure a Kubernetes Ruleset or use the preconfigured CloudGuard-managed Kubernetes CloudGuard Best Practices ruleset. Then you set up a Policy that associates the ruleset with one or more Kubernetes clusters and assigns a notification.
Kubernetes Intelligence rulesets are equivalent to other Intelligence Rulesets (see Intelligence Security Events).
Actions
Use instructions in Intelligence Security Events for a Kubernetes cluster where an environment is mentioned.
|
Note - Kubernetes Intelligence does not support Audit Logs. It uses network traffic Flow Logs and Kubernetes assets data. |
Known Limitations
For a full list of known limitations, see Known Limitations
More Links