Modern application architectures have become mainstream as enterprises experience the benefits of rapid application delivery. Many leverage Amazon EKS as an easy path to Kubernetes. Amazon EKS removes the pain of managing cluster operations and administration tasks; ensuring management infrastructure is provisioned correctly, highly available, backed up, and updated.

While a managed Kubernetes offering provides a tremendous business advantage for time to market when deploying new applications, increasingly sophisticated cyber-attacks demonstrate just how relentless attackers can be to uncover and exploit vulnerabilities. Attackers have been quick to focus on attacking Kubernetes clusters resulting in recent breaches from data theft to cryptojacking.

Implementing Kubernetes clusters on Amazon EKS is easy and so should enabling security and auditing. This is a crucial step when deploying Kubernetes clusters and should never be an afterthought. DevOps and Security Teams must work together by using integrated tools during implementation.

 

Utilizing the Proper Security and Compliance Solutions for Kubernetes

Before microservices and containers, each instance of an application or server was viewed as a unique resource. Virtual Machines were managed in a similar way to physical servers. When security vulnerabilities were discovered, VMs and servers would be patched, often manually, one by one. Operational issues would be resolved by operations teams logging into the affected servers or VMs to make the necessary adjustments. The problem with this model is that each server (physical or virtual) is its own entity; there is no commonality. This approach by its very nature limits scale. There is no rational way with this model to manage tens or hundreds of thousands of containers.

In Kubernetes the definition of the services and the infrastructure is declarative. Instead of configuring the system based on what is currently running in the system, such as firewall or load balancing configurations based on specific IP addresses of current workloads, those instructions are based on declarations of what the system should do in a given situation. The declarations define the behavior of the system and it is up to the system to evaluate the existing environment and compare it to the desired state. This model allows for the system to be to self-adjust and continue to adhere to those declarations.

Kubernetes uses metadata to define any given service or resource. Labels and other metadata are attached to resources and services. A label can be applied to multiple resources, and multiple labels can be attached to a single resource.

The approach we pioneered at Tigera uses labels and metadata to create a network environment that practices a zero-trust security or least privilege model that blocks traffic, even when attackers manage to penetrate the perimeter. Tigera Secure Cloud Edition (CE) was designed from the ground up with Amazon EKS managed Kubernetes services in mind to provide container-optimized security to defend against threats for modern applications in AWS. Our solution also provides network visibility and compliance monitoring and alerts on illegitimate network traffic.

 

Try Tigera Secure Cloud Edition (CE) for 90 days

Tigera Secure Cloud Edition enables users to deploy applications to Amazon EKS with enterprise-grade network security. This solution provides micro-segmentation of container-to-container connectivity and continuous compliance for the Amazon EKS environment. Sign up to try Tigera Secure Cloud Edition (CE) with 90 days of credit on AWS and Amazon EKS.

 

Additional Resources

  • Read this AWS blog on how to leverage Tigera Secure Cloud Edition on Amazon EKS
  • Check out this datasheet for more information

Subscribe to our newsletter

Get updates on webinars, blog posts, new releases and more!

Thanks for signing up. You must confirm your email address before we can send you. Please check your email and follow the instructions.

Pin It on Pinterest

Share This