Fairwinds Updates Polaris Open Source Policy Engine With New Security Checks

Polaris helps to assess Kubernetes security posture

Fairwinds, the leading provider of Kubernetes governance software, today announced it has added new security checks to Polaris, the open source Kubernetes policy-as-code tool. The new checks enable security engineers and DevOps teams responsible  for infrastructure to better secure and harden their Kubernetes workloads. 

The new Polaris security updates let security and DevOps team collaborate on specific and actionable ways to secure Kubernetes clusters and workloads. These additions help overworked teams automate steps to monitor and secure access to clusters and make recommendations on protecting application workloads. Specific security checks that have been added to Polaris include:

  • ServiceAccount tokens are automatically mounted: detects workloads that automatically have credentials that may be used to access clusters, helping to prevent unauthorized access;
  • Accompanying NetworkPolicy: ensures there is a namespaced Kubernetes NetworkPolicy for each workload, which firewalls workload inter-communication to increase security;
  • Hardening of Linux workloads: confirms a workload uses either AppArmor, dropping Linux capabilities, SELinux, or a seccomp profile to grant workloads the minimal privileges needed to function, which minimizes an attacker's ability to gain access to other workloads in the cluster;
  • Exec or attach to a pod: detects role based access control (RBAC) that allows exec or attaching to a container, limiting other commands and protecting workloads from unauthorized access or data exfiltration; and 
  • Cluster admin permission: helps achieve the security principle of least privilege by detecting RBAC that allows cluster admin permissions, reducing the opportunity and scope for potential attackers.

"The new policy checks added to Polaris help improve Kubernetes security by more easily identifying gaps in compliance, saving time reviewing and implementing best practices, and reducing the risk of a breach," said Robert Brennan, VP of Product Development at Fairwinds. "We are committed to the open source community and will continue to prioritize security in Polaris and all of our open source tools by continually adding new features on a regular basis."

Polaris was recently updated to include automated remediation, called mutations, which allows users to modify YAML files or Kubernetes objects to get them to comply with best practices. Mutations can be run on Infrastructure-as-Code files, so the changes can be checked into a repository, or be run as a mutating webhook, modifying resources as they enter a Kubernetes cluster.

Polaris, which includes more than 30 built-in configuration policies and the ability to write custom policies using the intuitive JSON Schema syntax, has more than 75,000 users spanning all industries. Users interested in managing Polaris across a fleet of clusters, collaborating across teams, or tracking findings over time, can look to Fairwinds Insights, the company's complete Kubernetes governance platform. These checks are now available in Insights helping companies to achieve NSA Kubernetes Hardening compliance. 

Polaris users are invited to join the Fairwinds OSS User Group

Resources

About Fairwinds

Fairwinds is the trusted partner for Kubernetes governance and security. With Fairwinds, customers ship cloud native applications faster, more cost-effectively and with less risk. Fairwinds provides a unified view between dev, sec and ops removing friction between those teams with software that simplifies complexity. The company is headquartered in Boston, MA, and provides a fully remote and distributed work environment. For more information, visit www.fairwinds.com, read our blog or follow @FairwindsOps on Twitter.

Source: Fairwinds

Share:


Tags: Cloud Native, DevOps, Fairwinds, K8s, Kubernetes, Kubernetes Security, Polaris


About Fairwinds

View Website