This document details the primary use cases on Kubernetes security supported by Cisco Secure Workload.

The approaches in the document do not encompass all potential network requirements; rather, they serve as models for structuring your network. You can incorporate and modify features to better align with your specific needs. Additionally, the document assumes you are familiar with Cisco Secure Workload solution.

For more information, see Cisco Secure Workload Documentation.

Cisco Secure Workload is a security platform that delivers zero-trust microsegmentation and other workload security capabilities through agent-based and agentless approaches across a hybrid multicloud workload environment. The platform enables organizations to gain visibility into applications for automatic discovery of policies, analysis, enforcement, and monitoring of policies.

1. Complete visibility into applications and workload environments involves:

   • Understanding contextualized network communications, both within the data center or public cloud and extending beyond these boundaries.

   • Identifying vulnerable software packages installed on application workloads, specifically focusing on Common Vulnerabilities and Exposures (CVEs).

   • Conducting runtime forensics and monitoring activities at the process level on application workloads, utilizing MITRE Tactics, Techniques, and Procedures (TTPs).

2. Automatic discovery and analysis of policies to achieve zero-trust microsegmentation for business applications.

3. Enforce and monitor policy compliance across various enforcement points. These enforcement points may take the form of:

   • Host firewalls, such as Linux Iptables or Windows Firewall. These firewalls operate on bare metal, virtual machines in private or public clouds, Kubernetes clusters, or DPUs.

   • Cloud-built firewall controls, such as AWS Security Groups, Network Security Groups, and GCP network firewalls that are designed for public cloud workloads.

   • Network devices, such as load balancers and network firewalls.

Kubernetes security in Cisco Secure Workload is an ongoing process. This process requires a combination of proactive measures, continuous monitoring, and adherence to best practices to establish a resilient and secure container orchestration environment. Securing Kubernetes environments is essential to mitigate potential vulnerabilities and threats.

From an architectural perspective, the deployment comprises four major components:

1. The Control or Management Plane can reside on either an On-Premises Secure Workload cluster or a Secure Workload tenant hosted on SaaS.

2. The Secure Workload Orchestrator or Connector within the management plane engages with Kubernetes cluster APIs for EKS, AKS, GKE, OpenShift or unmanaged Kubernetes. This interaction allows enhanced visibility into pod and service metadata, providing details such as pod IDs, annotations, or labels.

3. The DaemonSet is deployed to the Kubernetes or OpenShift cluster intended for security measures. The DaemonSet enables the Secure Workload agent or pod to operate continuously on each Kubernetes or OpenShift node. The functions of the DaemonSet include the following:

   1. The node agent or pod facilitates the monitoring of network flows within the Kubernetes cluster and reports this information back to the cluster. This functionality can operate in either Conversation mode or Detailed mode.

      1. When operating in Conversation mode, the agent condenses flow observations every 15 seconds and reports them back to the control plane at corresponding 15-second intervals.

      2. When operating in Detailed mode, the agent intercepts and reports every packet originating from the node namespace or pod namespace on a specific node to the control plane every second.

   2. Additionally, the node agent enhances the capability to define firewall rules on each node. These rules restrict lateral movement among pods, nodes, or the cluster boundary.

4. Activating the Vulnerability Scanner option initiates a scan on one of the pods in the Kubernetes nodes. This scanner monitors every Linux container image running on the Kubernetes or OpenShift cluster and reports the associated CVEs to the management plane.