Alcide Rapid 7 Logo Alcide Rapid 7 Logo
Alcide has been acquired by Rapid7- a leading provider of security analytics and automation. Learn more

Ensuring In-flight Kubernetes Security

July 15, 2020
Alon Berger
Product Marketing Manager

Automate Kubernetes Analytics and Forensics with Alcide kAudit


It is the year 2020, and it is no surprise that Kubernetes is here to stay.

In fact, it is so mainstream that there are constantly new Kubernetes CVEs and attack vectors popping up (some of which we have covered in recent blogs). This indicates that we should expect more vulnerabilities and threats to be disclosed in the near future, calling for security teams to take the necessary preventive measures.

Adding to that the fact that Kubernetes-based deployments are complex by nature, it is clear that we are heading towards even more distributed environment challenges.
Such increasing complexity calls for a different and more focused approach to mitigation strategies.

At the same time, while Kubernetes automates your containerized application deployments with some basic out-of-the-box security measures, it still has a long way to go when it comes to providing end-to-end security for these workloads.

Take for example the security teams that need to deal with, understand and investigate K8s audit logs. Sifting through these endless records often seems intimidating even. Automating audit logs sets up the ground for early detection of abnormal activities and anomalies. In today’s world of artificial intelligence (AI) and machine learning, that’s a key differentiator that will lead to superior enforcement capabilities.


Kubernetes Audit Logs == Your Source of Truth

Enter Alcide kAudit, an automated analytics and forensics module that is specifically designed for detecting and identifying suspicious activity, based solely on Kubernetes’ audit logs.

Some of the major challenges for security teams is the time and effort it takes to identify and diagnose the root cause and impact of a security breach, especially within Kubernetes deployments. The dynamic nature of such environments makes it even harder for the response teams, having to constantly track the activity and communication among the applications, often composed of dozens or even hundreds of interacting microservices deployed as pods. Such observation requires a deep understanding of the application’s architecture and most often will involve rummaging through a substantial amount of raw logs.

kAudit fits in perfectly for the complex multi-cluster Kubernetes environments that companies build today. With an AI-based detection and prevention mechanism, Alcide kAudit provides a high-resolution network detection security layer that gives instant insights and alerts on any suspicious activity. Armed with machine learning and artificial intelligence for monitoring audit logs, kAudit continuously scans audit logs and flags any unusual or suspicious network behavior.

While there are many potential threats to consider, some of the most crucial and popular ones are the following:

  • Stolen credentials, enabling hackers to gain access to K8s-based clusters or pods.

  • Misconfigured Rules Based Access Control (RBAC), enabling lateral attack propagation, privilege escalation, and unauthorized data access or manipulation.

  • Exploitation of vulnerabilities in the Kubernetes API Server, enabling bypassing of authentication, authorization, admission control, or validation of cluster administration requests.

  • Violations of security policies, which diverge from compliance requirements and best practices.


Policy and Compliance Enforcement

On top of automated audit analytics and risk detection, there are also compliance and predefined rules to consider and keep close track of. Companies deploying Kubernetes-based workloads in many cases also need to align with government and regulation standards designed to protect financial transactions and private or personal information such as PCI, GDPR and HIPAA. Alcide kAudit automatically assembles, catalogs and reports on violations of K8s-related compliance best practices.

kAudit provides easy to use policies with a variety of out-of-the-box templates, aiding users with creating their own customized rules. This enables proactive monitoring for early detection of policy violations, and limiting of the impact radius of such incidents.


Kubernetes Audit Logs Explained – Step by Step

Let’s jump into some real-world examples and see how you can quickly detect a breach or an internal misuse within your Kubernetes assets:


Source: Alcide kAudit main dashboard


Step 1 – The main kAudit dashboard provides real-time Kubernetes analytics and forensics. It highlights security violations such as access to sensitive K8s components and which resources were maliciously or erroneously accessed by unauthorized users.

Step 2 – Users are able to monitor such issues over time, easily identifying complex and non-trivial threats. This makes audit logs accessible and simplifies reporting capabilities for all relevant teams, not just the security experts.

Step 3 – For a deeper investigation of specific incidents and users, users can

easily drill down to activity and potential policy violations over specific periods of time and for specific users – see example in the image below:


Source: Alcide kAudit users timeline dashboard


Investigations conducted through this user timeline allow comparing anomalous behavior of a suspicious user to its learned and approved profile activity.

Each incident or specific violation can be thoroughly reviewed without the tedious task of parsing and sifting through endless system logs:


Source: Alcide kAudit Incidents and Anomalies Summary dashboard


Step 4 – If an even deeper profile activity review is necessary, the platform is equipped with an activity summary dashboard that provides additional filtering capabilities, based on API groups, caller IPs, cluster roles and many more:



Source: Alcide kAudit Activity Summary dashboard


Step 5 – Integrate with your preferred third-party application such as Snowflake, Datadog, Sumo Logic, RedHat’s OpenShift and more.


Bottom Line

Audit logs are a prime way to comprehend the behavior of any cloud-native application orchestrated by Kubernetes. In addition to detecting security risks, we believe that a security solution should also be easy to understand and consumed by more than just the hard-core security experts.

By providing the correct user experience, companies can make their Kubernetes logs more accessible, effectively opening a new vista of security possibilities for more professionals.

Deploying Alcide kAudit within your organization can help flatten the relatively difficult learning curve of Kubernetes and bring together K8s pros and novices, relieving pressure from understaffed security teams.


To get started with Alcide kAudit, try our 14-day trial.




About the author

Alon profile

Alon Berger

Product Marketing Manager

Alon Berger is a Product Marketing Manager at Alcide and an experienced Technical Engineer with a demonstrated history of working in the computer software industry. Skilled in R&D Operations management, Cyber Security, Cloud platforms, and DevSecOps methodologies. Alon served in the 8200 unit and holds a BSc in Computer Science.

Subscribe for updates, fresh insights, stories and tips

The latest posts delivered to your inbox