Securing Managed Kubernetes
with Prisma Cloud
For most organizations, running containers is a great way to speed up the application lifecycle. This approach
is quickly becoming a standard—according to the 2019 Cloud Native Computing Foundation (CNCF) survey,
84% of respondents are using containers in production.1
Kubernetes®—an orchestration engine used to automate deployment, scaling, and management of
containerized workloads—takes containerized development a step further, allowing full automation of
these builds straight into the running environment. Kubernetes adds high availability to running containers,
splitting the workloads for a single application among multiple nodes.
The same CNCF survey found that 78% of respondents are using Kubernetes in production,2 with top
growth coming from managed Kubernetes platforms like Amazon Elastic Kubernetes Service (EKS),
Google Kubernetes Engine (GKE), and Azure Kubernetes Service (AKS). These managed services enable
companies to focus their own resources and talent on more impactful functions.
1. “CNCF Survey 2019,” Cloud Native Computing Foundation, March 4, 2020, https://www.cncf.io/wp-content/uploads/2020/03/CNCF_Survey_Report.pdf.
2. Ibid.
Prisma by Palo Alto Networks | Securing Managed Kubernetes with Prisma Cloud | Brief 1
�Open Source vs. Workers
Managed Kubernetes Pods
While maintaining Kubernetes infrastructure can Master
kubelet
be a necessary evil for workloads not approved for
the cloud, managed Kubernetes environments add kube-apiserver kube-proxy
a level of ease for end users. Managed Kubernetes
Container runtime
platforms deploy in a secure and production-ready User responsibility
fashion within minutes, taking all master node kube-scheduler kube-controller-manager
CSP responsibility
operations away from the user and allowing them Pods
etcd
to focus on their own containers.
kubelet
Kubernetes Node Types kube-proxy
Master Container runtime
A master node serves as the controller for worker
nodes. Master nodes comprise four components:
• Etcd—a distributed key-value store. This is the
foundation of Kubernetes, used for storing and Figure 1: Managed Kubernetes services architecture
replicating critical data for distributed systems.
All metadata, configuration, and state data is
managed within this database.
• Kube-apiserver—the scalable API server used as the front end of the Kubernetes control plane. Through the use of REST operations
via external communication, it handles the cluster’s shared state of components.
• Kube-controller-manager—a control plane component made up of node, replication, endpoint, and service account and token
controllers. These individual controllers are run as a single process to reduce complexity.
• Kube-scheduler—a control plane component that determines which node a newly created pod will run on.
Worker
A worker node is where end user container workloads are run. Worker nodes comprise three components:
• Kubelet—an agent that runs on each node to ensure that all containers created in Kubernetes are running as expected and healthily.
• Kube-proxy—a network proxy running on each node to maintain network rules across the cluster. Kube-proxy ensures that
communication can reach your pods.
• Container runtime—the underlying component that runs containers. Docker® is the most recognizable, but Kubernetes also supports
containerd®, CRI-O, or anything created with the Kubernetes container runtime interface (CRI).
RBAC
Kubernetes role-based access control (RBAC) is an additive, allow list-based security model that can limit resources to specific roles
and users within the cluster. This enables segmentation within the cluster at an authorization level.
Securing Managed Unified agent framework
Kubernetes with
Managed Kubernetes clusters, such as AKS, EKS, GKE, and more extends protection to
workloads and apps
Prisma Cloud Continually ingest and
monitor data via cloud
provider APIs (policy
Prisma Cloud has API connectivity with
™
VPCs Permissions Resources Storage/DB status, network logs, etc.)
Amazon Web Services (AWS®), Microsoft
Azure®, Google Cloud Platform (GCP®),
and Alibaba Cloud to provide visibility at
the cloud layer and identify potential risks
in the environment. In addition, Prisma
Cloud Defenders are security agents that can Figure 2: Secured managed Kubernetes stack
be deployed on the aforementioned cloud
providers, as well as any other managed
Kubernetes distribution, to provide full-stack
protection in c
ontainerized environments.
Prisma by Palo Alto Networks | Securing Managed Kubernetes with Prisma Cloud | Brief 2
�Prisma Cloud helps secure each step of the containerized development lifecycle: build, deploy, and run.
Build
• Integrated development environments (IDE): Scan infrastructure as code (IaC) and application deployment YAML within the
developer’s IDE, such as Visual Studio Code and IntelliJ IDEA, and compare against existing IaC policies within Prisma Cloud.
• Software configuration management (SCM): Scan IaC and application deployment YAML within your SCM, such as GitHub® or
GitLab®, and compare against existing IaC policies within Prisma Cloud.
• Continuous integration (CI): Scan IaC and application images at build time, allowing you to gain visibility and gate which applications
are able to run in your environment.
Figure 3: Container image scan results in Jenkins
Deploy
• Registry: Scan all images in your container image repositories and gain visibility into the vulnerability and compliance posture of
those images. This provides continuous monitoring and control over what can be deployed into your running environments.
Figure 4: Container image registry scan results
Prisma by Palo Alto Networks | Securing Managed Kubernetes with Prisma Cloud | Brief 3
�Run
• Visibility: Get continuous monitoring and visibility into the services and resources in your cloud environment, giving you the informa-
tion you need to run it securely and safely. This includes information about managed Kubernetes clusters in use in your organization.
Figure 5: Kubernetes cluster investigation detail
• Vulnerability management: Source data
from multiple upstream providers into a
single intelligence stream. This data is then
surfaced in real time across every pod or
container deployed in your environment.
• Compliance: Review compliance checks for
the entire cloud infrastructure, including
official certification for the Center for
Internet Security (CIS) Docker and
Kubernetes benchmarks. From the cloud
provider itself down to the individual appli-
cations running, P risma Cloud makes sure
your environment stays compliant with the
controls your industry puts in place.
• Runtime protection: Prisma Cloud uses
machine learning to create an allow list of
application containers. This lets the plat-
form define known-good behaviors within
your container’s processes, networking,
and file system reads/writes.
• Network protection: Utilize a Layer 4 Figure 6: Network topology and container security visualization
container-aware virtual firewall to protect
east-west connections between pods and
provide traffic flow visibility on Radar
through the use of machine learning.
About Prisma Cloud
Prisma Cloud is the comprehensive Cloud Native Security Platform with the industry’s broadest security and compliance coverage—
for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across hybrid and
multi-cloud environments. Prisma Cloud takes an integrated approach that enables security operations and DevOps teams to stay
agile, collaborate effectively, and securely accelerate cloud native application development and deployment.
3000 Tannery Way © 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 securing-managed-kubernetes-with-prisma-cloud-b-063020
Support: +1.866.898.9087
www.paloaltonetworks.com
