Better Kubernetes Security with AccuKnox and Kyverno Integration

Kubernetes, the powerful container orchestration platform, has revolutionized how applications are deployed and managed. However, this flexibility comes with increased security risks. Malicious actors can exploit vulnerabilities, unauthorized deployments can occur, and resource limits can be exceeded. This can lead to data breaches, system instability, and severe financial losses. To mitigate these risks, Kubernetes employs admission controllers, which act as gatekeepers, scrutinizing every object (like pods, deployments, and services) before it enters the cluster. Kyverno is a popular open-source policy engine for Kubernetes. It allows you to define and enforce rules for your cluster, ensuring adherence to security best practices and organizational policies.

AccuKnox introduces a powerful policy specification framework called AdmissionPolicies, designed to enforce security controls at the Kubernetes admission level. Instead of building a new admission controller engine from scratch, it leverages existing policy engines to provide robust and extensible security enforcement. Our KnoxGuard module operates on top of these policy engines, for simple policy management and enforcement.

In the initial phase, AccuKnox integrated KnoxGuard with the widely used Kyverno Policy Engine, ensuring users could easily adopt our solution without disrupting their existing workflows.

https://www.redhat.com/en/resources/kubernetes-adoption-security-market-trends-overview

Attack Scenarios AccuKnox Defends Against

1. Preventing privileged pod deployments
2. Allowing deployments from certain registry patterns
3. Blocking deployments from specific registry patterns

The 2024 State of Production Kubernetes survey reveals that enterprise adoption of Kubernetes continues to grow, with key challenges including complexity and security.

How KnoxGuard Works with Kyverno

When users define AdmissionPolicies through KnoxGuard, the module internally converts them into corresponding Kyverno policies and applies them to the Kubernetes cluster. This seamless integration allows organizations to benefit from enhanced policy management without complex reconfigurations.

Key Benefits

• No Disruption: No changes are required if you are already using Kyverno. Simply deploy KnoxGuard to leverage AccuKnox’s AdmissionPolicies.
• Future-Proof: The architecture allows for future integrations with additional policy engines.
• Simplified Management: Centralized policy definition and automatic conversion into Kyverno-compatible rules.
• Enhanced Security: Enforce fine-grained security controls with minimal effort.

Steps for Deploying KnoxGuard with Kyverno

Step 1: Install agents using version v0.8.5

helm upgrade --install agents oci://registry-1.docker.io/accuknox/accuknox-agents \
  --version "v0.9.1" \
  --set joinToken="ba39b0ba-d615-4005-848d-7fbdf72c4729" \
  --set spireHost="spire.dev.accuknox.com" \
  --set ppsHost="pps.dev.accuknox.com" \
  --set knoxGateway="knox-gw.dev.accuknox.com:3000" \
  --set admissionController.enabled=true \
  --set kyverno.enabled=true \
  -n agents --create-namespace

Step 2: Check deployments

1. Ensure Kyverno is Installed:
• If Kyverno is already installed on your cluster, KnoxGuard will work without any additional configuration.
• If Kyverno is not installed, KnoxGuard can optionally install it during deployment.
2. Deploy KnoxGuard: Install KnoxGuard using Helm charts
• helm upgrade --install knoxguard oci://public.ecr.aws/k9v9d5v2/knoxguard-chart --version=v0.2.0 -n knoxguard --create-namespace
3. Define AdmissionPolicies:
• Create your policies in KnoxGuard’s format, and they will be automatically translated into Kyverno policies.
4. Verify Policies: Use Kubernetes commands to check applied policies.
• Check the KnoxGuard Policy – kubectl get admissionpolicy
• Check kyverno policy – kubectl get clusterpolicy

Use Case – Whitelist ECR Repository Policy

Supported AdmissionPolicy Rules

KnoxGuard currently supports the following rules:

In addition, you also get “target namespace” and “ignore namespace” rules to whitelist/blacklist namespaces to filter out rules. The AccuKnox SaaS platform allows users to create rules specific to namespaces as well. Additional rules are planned to be added in future releases.

Simplifying Admission Policies with AccuKnox

With AccuKnox, users no longer need to directly interact with Kyverno. The entire Admission Policy lifecycle is managed through the platform, from creation to deletion, ensuring a seamless experience. The lifecycle consists of the following stages:

1. Discovery Policy and Custom Policy Creation:
• AccuKnox automatically discovers applicable admission policies based on onboarded Kubernetes cluster data and associated container registries.
• Upon cluster onboarding, AccuKnox recommends best-practice Admission Controller Hardening Policies.
• When the onboard container registries, we will recommend policies with those.
• Users can define custom policies and make use of the upload YAML feature. 
• Users can apply these recommendations with a single click, without needing to manually write or configure policies.
2. Policy Deployment:
• Users can apply policies with a single click, without needing to manually write or configure policies.
• KnoxGuard converts these definitions into Kyverno-compatible policies and applies them to the cluster automatically.
3. Policy Alerts:
• Policy alerts are provided via the AccuKnox Alerts Page.
4. Policy Deletion and Cleanup:
• When policies are no longer required, You can safely remove them from clusters by Inactivating/ deleting those.
5. Policy Updates:
• New hardening policies will be continuously added by AccuKnox to strengthen security.
• Users receive recommendations to update or refine discovered policies based on their container registry configurations.

* The policy updates and discovered policy features are in the pipeline

Differentiators

AccuKnox acts as a centralized policy management layer, simplifying and automating admission control across Kubernetes clusters. The key roles include:

1. End-to-end Automation: Users don’t need to manually interact with Kyverno; all policy creation, deployment, and monitoring are managed through the AccuKnox portal.
2. Best Practice Recommendations: AccuKnox suggests optimal policies tailored to the user’s infrastructure to ensure secure Kubernetes deployments with minimal effort.
3. Seamless Policy Enforcement: KnoxGuard translates high-level security requirements into actionable Kyverno policies and ensures they are consistently enforced across clusters.
4. Namespace-Specific Controls: Users can apply policies to specific namespaces or exclude namespaces from enforcement as needed.
5. Centralized Visibility and Analytics: Provides a consolidated view of applied policies, violations, and recommendations across multiple clusters via a user-friendly dashboard.
6. Open-Source Knoxguard Deployment: Use the help command to get started with our CLI.

oci://public.ecr.aws/k9v9d5v2/knoxguard-chart

Summary

1. Integrating AccuKnox with Kyverno provides a powerful and efficient way to enhance Kubernetes security. By leveraging Admission Policies and Kyverno’s capabilities, you can simplify policy management, automate enforcement, and ensure your Kubernetes deployments are secure and compliant.
2. We are expanding KnoxGuard’s capabilities by integrating with additional admission controller policy engines, ensuring broader compatibility and enhanced security controls across various Kubernetes environments.
3. AccuKnox provides a scalable and efficient way to manage Kubernetes admission policies without disrupting existing infrastructure. Organizations can easily enforce security best practices while maintaining flexibility for future enhancements.
4. To learn more about AccuKnox’s features and how they can enhance your organization’s security, Book a Demo or View Product Tour

Download AppSec + CloudSec eBook