Run Confidently in Kubernetes
Sysdig Secure gives you the visibility you need to secure your modern apps built with containers, Kubernetes, and cloud services. Secure the build pipeline, detect and respond to runtime threats, enforce Kubernetes-native network segmentation, and continuously validate compliance. Sysdig Secure is a SaaS offering, built on an open source stack that includes Falco and Sysdig OSS.
Automate scanning locally in your CI/CD tools without images leaving your environment, and block vulnerabilities pre-deployment.
Validate compliance against standards like PCI, NIST, and SOC2 across the lifecycle of containers and Kubernetes.
Detect threats across containers, Kubernetes, and AWS infrastructure with out-of-the-box Falco rules based on syscalls, K8s audit logs, and AWS CloudTrail.
Visualize all network communication across apps and services. Apply microsegmentation by automating Kubernetes-native network policies.
Incident response and forensics
Conduct investigations with low level syscall data, even after the container is gone.
Risky image prevention via admission control
Block unscanned or vulnerable images from being deployed onto the cluster with the Sysdig Admission Controller. Define criteria based on flexible conditions (i.e., namespace, CVE severity level, fix availability, image size, etc.) in order for the image to be approved.
Sysdig Secure also prevents vulnerabilities early by integrating image scanning into the CI/CD pipelines and registries.
Least privilege access control for workloads
PodSecurityPolicy (PSP) is a native threat prevention and enforcement mechanism in Kubernetes. Sysdig automatically creates a least-privilege PSP for your application and validates them before you apply them in production with no performance impact. With a least-privilege PSP, you can:
- Prevent privileged pods from starting and control privilege escalation
- Restrict access to the host namespaces, network, and filesystem that the Pod can access
- Restrict the users/groups a Pod can run as
- Limit the volumes a pod can access
- Restrict other parameters like runtime profiles or read-only root filesystems
Runtime threat detection
Detect anomalous activity using community driven policies (i.e., MITRE, FIM, cryptomining, etc.) based on open source Falco. Create precise rules by using rich context from the cloud provider and Kubernetes environments. Save time with out-of-the-box rules and ML based image profiling instead of creating policies from scratch.
API security with audit logs
Alert on who did what at the Kubernetes API level based on API audit logs. For example, detect the following:
- Creation and destruction of pods, services, deployments, daemon sets, etc.
- Creating/updating/removing config maps or secrets
- Attempts to subscribe to changes to any endpoint
Vulnerabilities in Kubernetes
New Kubernetes vulnerabilities continue to be identified. Read more about the latest CVEs affecting your clusters and how to mitigate risk.
Frequently Asked Questions
Q: What is Kubernetes?
A: Kubernetes is an open-source platform for managing automated container deployment, scaling, workloads and services. Originally developed by Google and now maintained by the CNCF (Cloud Native Computing Foundation), the purpose for Kubernetes is to automate the operations, deployment, and scaling of application containers across clusters of hosts. Cloud services offered by many vendors now offer their branded version of Kubernetes.
Q: Why use Kubernetes?
A: Containers are very effective at bundling and running your applications. In production settings, there is a need to manage containers that run your applications without downtime. Kubernetes is a framework that manages distributed systems robustly as well as manages the scaling and failover of your container applications. Kubernetes stores and manages sensitive information, will restart containers that fail, automates rollbacks and rollouts, and manages automated mounts of storage systems.
Q: What is Kubernetes Security?
A: Kubernetes security mechanisms protect you against container based attacks. These attacks often occur by hackers exploiting vulnerabilities in container base images or even 3rd party libraries. It could also be due to cluster misconfigurations that allow malicious activity to go undetected at runtime or cause cloud-native applications to fall out of compliance. As a result, your teams need to embed security and compliance across the Kubernetes lifecycle. Native controls like PodSecurityPolicies, helps prevent privilege escalation and blocks threats at runtime. Using open-source Falco, you can detect and alert on malicious activity at runtime. A Kubernetes security tool that is part of your DevOps ecosystem can help you manage your cloud security risk.
Q: What is a Kubernetes Cluster?
Kubernetes pools together various nodes into a cluster to run cloud-native applications. The Kubernetes cluster contains, at minimum, a master node and a worker node. The master node maintains the desired state of the cluster, such as which applications are running and which container images they use and directly controls the worker node. Worker nodes actually run the applications and workloads. When you deploy programs onto the cluster, the master node intelligently handles distributing work to the individual nodes. If any nodes are added or removed, Kubernetes will automatically manage your cluster to match the desired state.
Q: What is difference between Kubernetes and Docker?
Kubernetes and Docker are fundamentally different technologies that work well together for building, delivering, and scaling containerized applications. Docker packages software, or microservices, into a container, to make them more portable. Kubernetes is the orchestrator that helps you scale and manage multiple Docker containers at scale.
“The fact that Sysdig is immediately compatible with Kubernetes was a big draw for us. A lot of the security around Kubernetes is new and it's kind of hard to grapple with it at first. Sysdig helps with a lot of that and we don’t have to do a lot of managing the Sysdig stack, which ultimately makes our lives easier so we can focus on debugging our own stack.”Ryan Staatz, Systems Architect at LogDNA