Kubernetes Security with Sysdig Secure

Embed security and validate compliance with secure DevOps

Get Kubernetes Security Checklist

Run Confidently in Kubernetes

Sysdig Secure gives you the visibility you need to secure your modern apps built with containers, Kubernetes, and cloud services. Secure the build pipeline, detect and respond to runtime threats, enforce Kubernetes-native network segmentation, and continuously validate compliance. Sysdig Secure is a SaaS offering, built on an open source stack that includes Falco and Sysdig OSS.

Kubernetes Security Image Scanning


Automate scanning locally in your CI/CD tools without images leaving your environment, and block vulnerabilities pre-deployment.

Kubernetes Security Compliance


Validate compliance against standards like PCI, NIST, and SOC2 across the lifecycle of containers and Kubernetes.

Kubernetes Security Runtime Security


Detect threats across containers, Kubernetes, and AWS infrastructure with out-of-the-box Falco rules based on syscalls, K8s audit logs, and AWS CloudTrail.

Network Security


Visualize all network communication across apps and services. Apply microsegmentation by automating Kubernetes-native network policies.

Kubernetes Security Incident Response and Forensics

Incident response and forensics

Conduct investigations with low level syscall data, even after the container is gone.

Risky image prevention via admission control

Block unscanned or vulnerable images from being deployed onto the cluster with the Sysdig Admission Controller. Define criteria based on flexible conditions (i.e., namespace, CVE severity level, fix availability, image size, etc.) in order for the image to be approved.

Sysdig Secure also prevents vulnerabilities early by integrating image scanning into the CI/CD pipelines and registries.

Least privilege access control for workloads

PodSecurityPolicy (PSP) is a native threat prevention and enforcement mechanism in Kubernetes. Sysdig automatically creates a least-privilege PSP for your application and validates them before you apply them in production with no performance impact. With a least-privilege PSP, you can:

  • Prevent privileged pods from starting and control privilege escalation
  • Restrict access to the host namespaces, network, and filesystem that the Pod can access
  • Restrict the users/groups a Pod can run as
  • Limit the volumes a pod can access
  • Restrict other parameters like runtime profiles or read-only root filesystems

Configuration validation with CIS Benchmarks

Validate cluster configuration based on CIS Benchmarks for Kubernetes. Resolve violations faster with guided remediation. Run on-demand assessments and generate detailed reports to easily pass third-party audits.

Runtime threat detection

Detect anomalous activity using community driven policies (i.e., MITRE, FIM, cryptomining, etc.) based on open source Falco. Create precise rules by using rich context from the cloud provider and Kubernetes environments. Save time with out-of-the-box rules and ML based image profiling instead of creating policies from scratch.

API security with audit logs

Alert on who did what at the Kubernetes API level based on API audit logs. For example, detect the following:

  • Creation and destruction of pods, services, deployments, daemon sets, etc.
  • Creating/updating/removing config maps or secrets
  • Attempts to subscribe to changes to any endpoint

Kubernetes-native microsegmentation

Automatically generate least-privilege network policies using rich application and Kubernetes metadata. Visually confirm the topology before applying in production. Use a simple interface to easily modify policies without manually changing the YAML.

Deep Kubernetes visibility

Gain deep visibility into apps and services in Kubernetes using dynamic topology maps. Visualize syscall data (i.e., connections, latency, CPU usage, etc.) with Kubernetes and cloud context.

Incident response and forensics

Perform incident response using granular data enriched with Kubernetes and cloud metadata. For example, trace a kube-exec from a user down to the system activity (i.e., commands ran, connections made, file activity, etc.)

Vulnerabilities in Kubernetes

New Kubernetes vulnerabilities continue to be identified. Read more about the latest CVEs affecting your clusters and how to mitigate risk.

Detecting CVE-2020-14386 with Falco and mitigating potential container escapes
Detect CVE-2020-8557 using Falco
Understanding and mitigating CVE-2020-8566: Ceph cluster admin credentials leaks…

See all CVE blogs

Start your free 30-day trial in minutes!

Complete access to all features and functions. No credit card required.

Frequently Asked Questions

Q: What is Kubernetes?

A: Kubernetes is an open-source platform for managing automated container deployment, scaling, workloads and services. Originally developed by Google and now maintained by the CNCF (Cloud Native Computing Foundation), the purpose for Kubernetes is to automate the operations, deployment, and scaling of application containers across clusters of hosts. Cloud services offered by many vendors now offer their branded version of Kubernetes.

Q: Why use Kubernetes?

A: Containers are very effective at bundling and running your applications. In production settings, there is a need to manage containers that run your applications without downtime. Kubernetes is a framework that manages distributed systems robustly as well as manages the scaling and failover of your container applications. Kubernetes stores and manages sensitive information, will restart containers that fail, automates rollbacks and rollouts, and manages automated mounts of storage systems.

Q: What is Kubernetes Security?

A: Kubernetes security mechanisms protect you against container based attacks. These attacks often occur by hackers exploiting vulnerabilities in container base images or even 3rd party libraries. It could also be due to cluster misconfigurations that allow malicious activity to go undetected at runtime or cause cloud-native applications to fall out of compliance. As a result, your teams need to embed security and compliance across the Kubernetes lifecycle. Native controls like PodSecurityPolicies, helps prevent privilege escalation and blocks threats at runtime. Using open-source Falco, you can detect and alert on malicious activity at runtime. A Kubernetes security tool that is part of your DevOps ecosystem can help you manage your cloud security risk.

Q: What is a Kubernetes Cluster?

Kubernetes pools together various nodes into a cluster to run cloud-native applications. The Kubernetes cluster contains, at minimum, a master node and a worker node. The master node maintains the desired state of the cluster, such as which applications are running and which container images they use and directly controls the worker node. Worker nodes actually run the applications and workloads. When you deploy programs onto the cluster, the master node intelligently handles distributing work to the individual nodes. If any nodes are added or removed, Kubernetes will automatically manage your cluster to match the desired state.

Q: What is difference between Kubernetes and Docker?

Kubernetes and Docker are fundamentally different technologies that work well together for building, delivering, and scaling containerized applications. Docker packages software, or microservices, into a container, to make them more portable. Kubernetes is the orchestrator that helps you scale and manage multiple Docker containers at scale.

“The fact that Sysdig is immediately compatible with Kubernetes was a big draw for us. A lot of the security around Kubernetes is new and it's kind of hard to grapple with it at first. Sysdig helps with a lot of that and we don’t have to do a lot of managing the Sysdig stack, which ultimately makes our lives easier so we can focus on debugging our own stack.”

Ryan Staatz, Systems Architect at LogDNA

Read the Case Study