Container Security – Qualys on Kubernetes

Container Security – Qualys on Kubernetes

The simplicity of the container functional approach generates important and complex problems where cyber security is concerned.

An evolving dynamic world

The container method is much more dynamic than a classic approach based on the hardware virtualization. It is important to have full visibility of all containers within the infrastructure, as it might happen to lose visibility of everything that is located inside.

Easy-to-use doesn’t mean safe

The container logic implies the use of already built images. Docker hub provides many images to accommodate different services; however, one may question their security level. It is important to identify vulnerabilities both in the master images and in the applications within the containers.

Thanks to Qualys and its Security Container module, it’s possible to get full visibility of all the infrastructure containers in order to facilitate the identification of all vulnerabilities. The integration of a Container Sensor on our Kubernetes environment allowed us to not neglect the security aspect, not even in a modern development environment.

1. Sensor installation

The procedure of installation on Kubernetes environments are easy to conduct. Qualys provides both the docker image on docker hub, and the DaemonSet configuration. You can download the YAML file from the repository below:

https://github.com/Qualys/cs_sensor/blob/master/cssensor-ds.yml

The file is ready to be used. The only changes that are required involve the value of your Activation ID, Customer ID and POD Url (the address that the pod must contact to communicate with the Qualys cloud portal).

1.    env:
2.       - name: ACTIVATIONID
3.         value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
4.       - name: CUSTOMERID
5.         value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
6.       - name: POD_URL
7.         value: https://cmsqagpublic.qg2.apps.qualys.com/ContainerSensor

The Activation ID and Customer ID are available within one’s Qualys instance, while the POD Url depends on the Qualys Platform. In the sample case we offer the url is: https://cmsqagpublic.qg2.apps.qualys.com/ContainerSensor

Qualys-platform-url

Once configurations have been changed successfully, the DaemonSet can be applied with the following command:

kubectl apply -f cssensor-ds.yml

It is possible to check the status of the pods with the command get pods for the kube-system namespace.

kubectl -n kube-system get pods

container-security-qualys-on-Kubernetes

Considering that it is a Daemon set, a sensor will be instantiated independently for each worker node.

The sensors will automatically appear in the Qualys Cloud Platform also. In case they don’t, the POD_URL might have been set wrong in the previous step.

2. Get visibility

The Container Security Sensor allows to monitor the status of all containers that have been deployed in the Kubernetes infrastructure, and most importantly it will also be possible to detect the presence of vulnerable containers and images.

Get visibility of all containers in your infrastructure!

Identify the information of each container and the associated vulnerabilities. 

Check the software installed in your container or image, see whether it is up-to-date, and detect any vulnerabilities.

Detect and analyze vulnerabilities and then find the best way to fix them. 

We’ve so illustrated the first steps for monitoring our containers and their associated vulnerabilities. In the next article we’ll go deeper in trying to figure out how to analyze images in the continuous Integration and Deployment phase, integrating Qualys’ Container Security module with Gitlab.