From our earliest days at Twistlock, we have always tried to build features that solve real problems for customers. About a year ago, we added Docker compliance to assist our customers in meeting Docker compliance requirements from the Center for Internet Security (CIS) Docker Benchmark.
Over the past several months, Kubernetes usage and adoption has increased to the point that Kubernetes has become a popular open source solution for Docker cluster orchestration; even commercial offerings such as RedHat OpenShift and Google Container Engine are built on top of Kubernetes. Consequently, with Twistlock 2.2, we included compliance checks for CIS Kubernetes Benchmark 1.1 (a guide we contributed to) into our existing suite of Docker compliance checks.
Twistlock provides over 100 compliance checks for Kubernetes 1.7 so you can ensure that your Kubernetes deployments follow industry best practices and that your clusters are secured against common misconfigurations and threats. Even if you don’t have strict compliance requirements, it just makes good security sense to deploy with a compliant configuration.
Kubernetes Compliance in Three Easy Steps
Unlike the Twistlock Docker compliance checks, the Twistlock Kubernetes compliance checks covers the Kubernetes components themselves, not containers they run (those are covered by the existing Docker support we’ve long had). Twistlock automatically scans all nodes in your Kubernetes cluster including master and worker nodes; Twistlock even covers federated deployment compliance.
Setup Twistlock for CIS Kubernetes Compliance
The first step towards CIS Kubernetes compliance is to install the Twistlock solution in your cluster. Twistlock supports daemon set deployment in Kubernetes, GKE, and OpenShift and other Kubernetes based deployments as well.
Add a Kubernetes Compliance Rule for Your Entire Cluster or Federation
Once you have installed Twistlock, open up the browser interface to the Twistlock Console and navigate to Defend/Compliance. Once you click on “New Rule”, you’ll see this frame appear:
Give your new rule an appropriate name then choose between master, worker, or federation compliance checks – or add all three! For each compliance check, choose ignore or alert to enable or disable the check. Once a rule is created with appropriate alerts, Twistlock will scan all hosts in your cluster and produce a customized Kubernetes compliance report for each host – optionally sending out e-mails, slack alerts, or JIRA tickets. If you choose Block, then the deployment of Kubernetes containers will be blocked – ensuring that your configuration is compliant before cluster deployment..
The Add Resource section allows you to qualify which hosts are scanned for the desired compliance checks. To have coverage of your entire cluster which I recommend, simply choose the -default “*” in the Hosts section, you can leave the other fields in this section blank as they do not apply to Kubernetes compliance.
Use the Twistlock Compliance Report to Remediate Issues
To produce this sample report, I setup a single node Kubernetes cluster with the default setup for a single cluster. I created my one rule above to check my entire cluster for compliance. In a few seconds my Twistlock Kubernetes compliance report was available and my alerts were sent out. To view my report, I simply navigated to Monitor/Compliance/Hosts and clicked on my one host, matt-kubelet.
As you can see, I have 39 Kubernetes compliance violations on my single host cluster. By clicking into the report, I see various issues with both my master and worker configuration. The compliance violations are ranked stacked so you can easily view the most serious issues.
Any Docker savvy developer or cloud architect worth his salt can now remediate these itemized issues and re-run the cluster compliance scan via Twistlock to ensure that the remediation was completed successfully – it’s that easy.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.