Fortify D2iQ/Nutanix cluster with AccuKnox Zero Trust

Real-world examples of runtime security breaches are numerous and very expensive. For example, one well-publicized incident was the crypto-mining malware that infected a Kubernetes cluster, consuming huge computational resources and causing service disruptions. In the other case, a misconfigured Kubernetes cluster allowed unauthorized access to sensitive data and led to a massive data breach and heavy regulatory fines.

Organizations are adopting cloud-native deployment solutions to deliver their applications at scale quickly. Consequently, the attack surface has increased compared with traditional monolithic applications. Therefore, securing Kubernetes clusters has become a major concern for organizations, and the cloud-native landscape has become a challenging place where businesses have to deal with various possible threats. D2iQ/Nutanix, the leading provider of enterprise-grade Kubernetes solutions, recognizes the challenge and has partnered with AccuKnox to provide robust runtime security for your D2iQ/Nutanix Kubernetes clusters.

AccuKnox Enterprise CNAPP – a runtime security solution, addresses this issue head-on by protecting your D2iQ/Nutanix Kubernetes workloads. This blog post will walk you through the features and benefits that strengthen the integration of AccuKnox Enterprise with D2iQ/Nutanix, including auto-discovered behavioral policies, compliance enforcement, real-time visibility, and seamless integration with industry-leading security tools.

AccuKnox for Kubernetes Security

AccuKnox runtime security for Kubernetes aids in discovering the application behavior of your workload and offers the capability to enforce security policies. AccuKnox automatically detects and suggests Behavioral Policies based on application observability, such as file system access for processes and processes that are accessing the network.

AccuKnox leverages KubeArmor to implement runtime security policies, utilizing eBPF and LSMs (SELinux, BPF LSM, AppArmor). LSMs serve as a checkpoint based on the applied policies, scrutinizing all events and system calls against these policies before they interact with kernel objects. KubeArmor ensures that any event not compliant with the guidelines is prevented from to execute in the userspace, thus maintaining a secure environment for your applications to operate. AccuKnox offers the subsequent enterprise functionalities to enhance runtime security:

• Auto-Discovered Behavioural Policies
• Recommendation of Hardening Policies based on compliance framework – MITRE, NIST, PCI-DSS, CIS
• Inventory View of Application
• Network Graph View of the Application
• Network micro-segmentation in the application
• Hardening of the Secrets Managers like Hashicorp Vault, CyberArk Conjur
• GitOps-based Version Control for Policy Lifecycle Management
• Rollback of recently changed Policy governing App Behavior
• On-the-fly detection of change in App Behavior through Policies
• Multi-tenant, Multi-Cluster, RBAC for user management
• Comprehensive Dashboard across workloads running in Managed/Unmanaged Cluster, Containerized environment, VM or Baremetal
• Integration with Registries for Container Image Vuln Scan
• Telemetry aggregation (Process executed, File accessed, Network connections made) and Alerts events (Audit, Block)
• Integration to SIEM for security events and Notification tool

AccuKnox Agents enable you to detect the Kubernetes environment and automatically pull all necessary agents for installation, facilitating the delivery of enterprise features.

AccuKnox Runtime Security Differentiation

Unlike point solutions that address specific aspects of security, KubeArmor combines policy enforcement, real-time monitoring, and isolation capabilities to combat cryptojacking and other threats.

• Zero-Trust Security: The Zero-Trust approach minimizes the attack surface and reduces the risk of unauthorized access, making it a powerful defense against attack attempts.
• Preemptive Mitigation: By proactively blocking suspicious activity, KubeArmor prevents malware from gaining a foothold in your system, minimizing potential damage.
• Granular Control: The ability to define fine-grained security policies allows you to tailor your defenses to your specific cloud environment and applications. This policy template not only blocks the execution of known mining software but also prevents other malicious activities commonly associated with cryptojacking attacks, such as reconnaissance tools like masscan, zgrab2, and nmap. Additionally, it restricts the execution of binaries from the /tmp/ folder, a common tactic used by attackers to deploy and run their malicious payloads.
• Kernel-level security enforcement using LSMs for both host and workloads
• Container-aware observability using eBPF-based system monitoring
• Automatic generation of least-permissive security policies using Discovery Engine
• Support for un-orchestrated containers, Kubernetes workloads, and bare metal VMs

Before You Begin

This procedure requires the following items and configurations:

• A fully configured and running Amazon EKS cluster with administrative privileges.
• The current version of DKP Enterprise is installed on your cluster.
• Ensure you have installed kubectl in your Management cluster.

In this case, we will be using D2iQ/Nutanix managed cluster created from the D2iQ/Nutanix console, You can use user attached cluster as well.

1. When the cluster is provisioned successfully > click on “Actions” from the upper right corner download the KubeConfig and export it to the kubeconfig environment variable
   
   
   export KUBECONFIG=dkp-kubeconfig.yaml
2. From the application catalog enable “KubeArmor”
   
3. Login to AccuKnox Saas > Navigate to settings and click on manage clusters
   
4. Click on “Onboard Now” to onboard a new cluster and In the next screen give a name to your cluster then click on “Save & Next”
   
5. In the onboarding steps skip the first step as we have already added “KubeArmor” from the DKP catalog, Follow the “Install AccuKnox Agents” to onboard your cluster
   
6. Copy the command and execute it in the CLI
   
   helm upgrade –install accuknox-agents
   oci://public.ecr.aws/k9v9d5v2/accuknox-agents –version “v0.2.12”
   –set joinToken=”38d851ba-2660-4aa3-b488-0cfb666bdb5e”
   –set spireHost=”spire.demo.accuknox.com”
   –set ppsHost=”pps.demo.accuknox.com”
   –set knoxGateway=”knoxgw.demo.accuknox.com:3000” -n accuknox-agents
   –create-namespace
   Release “accuknox-agents” does not exist. Installing it now.
   Pulled: public.ecr.aws/k9v9d5v2/accuknox-agents:v0.2.12
   Digest: sha256:0bccba7c90fd5b844c84010613941da1938020336fa50c6ed9b1d045c37bb8ea
   NAME: accuknox-agents
   LAST DEPLOYED: Tue Apr 23 11:11:21 2024
   NAMESPACE: accuknox-agents
   STATUS: deployed
   REVISION: 1
   TEST SUITE: None
7. Verify if all the agents are up and running
   
   kubectl get po -n accuknox-agents
   
   
   NAME

   READY

   STATUS

   RESTARTS

   AGE

   agents-operator-6cf7ccb7c4-zl58p

   1/1

   Running

   0

   3m18s

   discovery-engine-86c7fcc48c-bgvg8

   5/5

   Running

   0

   3m18s

   feeder-service-78bfcc75bb-xxfqt

   1/1

   Running

   0

   2m45s

   policy-enforcement-agent-7c9cddddf6-6rwv7

   1/1

   Running

   0

   2m44s

   shared-informer-agent-787465dc55-wlzm8

   1/1

   Running

   0

   2m43s

Expected Outcome

After the Onboarding Process is complete user can utilize the following features of AccuKnox SaaS to protect their cloud workload at runtime:

Cloud Workloads

Users can view all the workloads within the cluster through the cloud workload graph view.

Application Behavior

AccuKnox SaaS monitors cluster workload behavior using KubeArmor and AccuKnox Agents, installed as DaemonSets. Information is collected at the pod-level granularity, allowing users to access details for each pod across various namespaces. Workload behavior is presented through both list and graphical views

List view

In the list view, users can access the selected pod’s application behavior through three types of lists:

1. File Observability: This list provides information about file access occurring inside the pod. It includes details such as which process is accessing which file within the pod. Additionally, it indicates the status of the access, whether it’s allowed, audited, or denied.
2. Process Observability: This list displays the processes executing within the pod, along with information about which pods or containers are executing those processes. It also provides details about processes that are blocked from execution within the pod.
3. Network Observability: Network Observability presents the ingress and egress connections entering and leaving the pod. It offers information regarding port numbers, the source of ingress connections, and the destination to which egress connections are intended.

Auto Discovered Policies

Existing workloads pose challenges for setting up security due to insufficient understanding of application behavior and the complexities of brownfield environments. Accuknox addresses this by offering automated policy discovery, allowing for the generation of application security policies based on observed behavior, either in a staging-like environment or directly in production. This solution helps security teams and developers quickly create usable policies for network and application security, promoting a zero-trust environment without requiring extensive manual policy writing. You can view all the auto discovered policies from Runtime Protection > Policies.

Sample Discovered Policy 

This policy allows traffic on TCP, UDP, and raw protocols from the specified path “/PEA/pea” and permits process execution for the application labeled “policy-enforcement-agent” in the namespace “accuknox-agents”.

CWPP Dashboard

The AccuKnox CWPP Dashboard offers a comprehensive overview of runtime protection for clusters through various informative widgets. These widgets include:

• Alerts Summary: Provides a summarized count of alerts generated in the cluster or a specific namespace. Details include total alerts, blocked alerts (from system block policies), and audited alerts (from audit policies).
• Compliance Summary: Displays the compliance benchmarks applied to the cluster/namespace through KubeArmor’s hardening policies. Presents information about MITRE, NIST, CIS, PCI-DSS benchmarks.
• Compliance Alerts: Graphically represents compliance alerts generated in the cluster/namespace, using distinct color coding for various compliance benchmarks like MITRE, NIST, PCI-DSS, etc.
• Namespace Severity: Offers a summary of attack severity attempted in the different namespaces within the cluster.
• Top 10 Policies by Alerts Count: Presents a graphical representation of the top 10 policies for which alerts are generated in the cluster/namespace. Useful for identifying high-alert generating policies.
• Namespace Alerts: Displays alerts specific to the selected namespace within the cluster, providing detailed information about the alerts.
• Pod Alerts: Offers insights into alerts originating from the pods running within the cluster/namespace.
• Alert-based Operations: Graphically represents alert-triggering operations such as file access, process blocks, and audits, giving users an overview of the types of alerts generated.

Alerts based on Severity: Provides information on attack severity levels that were mitigated by the runtime protection policies within the chosen cluster/namespace.

Policy Enforcement

The Policies section provides users with information about the runtime protection policies applied in the cluster. These policies are categorized as Discovered, Active, Inactive, Pending, Hardening, and more. Users can view policies based on the cluster, namespace, and policy type selected using the filters displayed on the page.

AccuKnox offers the option to view policies related to a specific namespace and workload. In addition to discovering and hardening policies, users can create custom policies using the policy editor tool.

Monitoring Logs

AccuKnox CNAPP Solution provides comprehensive visibility of the cloud assets with the help of Dashboards and logs/alerts. AccuKnox’s open-source KubeArmor can forward policy-related logs/alerts to the SaaS. Also, it can forward the container logs present in the workloads. Logs are generated in real time based on certain conditions/rules you configure on the security policies. You will get logs from four different components.

The Log Detail contents vary depending on the selected component type of the log event.

SIEM/Notification Integration

Users can use the Feeder service agent to pass the logs to other SIEM tools like Splunk, ELK, Rsyslog, etc.., Users can also forward the logs from AccuKnox SaaS using the channel integration option to these SIEM tools. Users can integrate with various SIEM and ticketing tools like Splunk, Rsyslog, AWS CloudWatch, Elastic Search, Slack, and Jira.

Conclusion

AccuKnox Enterprise enables enterprises to enforce compliance requirements, auto-discover behavioral policies, and obtain detailed visibility into their cloud-native applications through a seamless integration with D2iQ/Nutanix. AccuKnox Enterprise offers a strong line of protection against runtime threats, reducing the risk of data breaches, service interruptions, and legal penalties. It does this by integrating with industry-leading security solutions, providing real-time monitoring, and sending out alerts.

About AccuKnox	About D2iQ/Nutanix
Advanced Security for Workload on Containers/VM Prevents (detects) backdoor fetch-store-exec operations from subverted processes or embedded malicious logic Prevents unauthorized network access, file system manipulations, and process execution, termination, thread hijacking Introduces strong identity management for all cross-container communications Protects from all kinds of Zero-Day attacks through AccuKnox Zero-Trust Least permissive posture Software Supply Chain Security Vulnerability Management & Prioritization based on (SCA, SAST,  DAST, and IaC Scan) shift-left security approach through integration into the CI pipeline Cloud Infrastructure Security Detects Misconfigurations for Public/Private Clouds  Drift Detection and compliance conformance for more than 33 compliance frameworks including ISO27001, SOC2, PCI-DSS, GDPR, HIPAA, CIS, etc.	Security Unified access across remote and on-prem clusters Secure access via Traefik forward authentication (TFA) Immutable auditing of all actions Governance Dynamic Service account creation for policies and entitlements Provides Observability using open-source tools like Telegraph, Prometheus, Grafana, etc. Reduced attack surface for private data path Integration Support for 3rd party identity providers Federated RBAC Integration with multiple applications to provide monitoring, Backup and recovery, logging, etc. Operations Cost management Cluster Auto-Scaling Cluster Life Cycle Management Provisioning and importing clusters Multi-cluster management GitOps
Value Proposition for Customers
AccuKnox integration with D2iQ/Nutanix provides your cluster with the following competitive edge over any other solution: Deep visibility into all kinds of workloads with network graph view via a single management platform. Handle all kinds of operations like provisioning and dynamic service account creation for your cluster in a secure way. Improve productivity and ensure reliability of your Kubernetes cluster with a cost management and non-intrusive way of achieving comprehensive security A robust and agile solution to your clusters in terms of flexible scale requirements along with maintaining the security integrity of the cluster.