Weaveworks 2022.03 release featuring Magalix PaC | Learn more
Balance innovation and agility with security and compliance
risks using a 3-step process across all cloud infrastructure.
Step up business agility without compromising
security or compliance
Everything you need to become a Kubernetes expert.
Always for free!
Everything you need to know about Magalix
culture and much more
Kubernetes allows pods to have specific node capabilities without providing full root access. If left unchecked, a pod can gain much more access than it should, leaving your cluster vulnerable to do unwanted and unwarranted action that could leave your systems inoperable
By default, Magalix KubeAdvisor’s Pod Security Policies Advisor ships with Container with uncontrolled Linux capabilities. We can detect against one cluster, or all of your clusters, when pods are scheduled with certain root level capabilities enabled.
When logging into the Magalix console, find your cluster and drill down to Issues using the navigation bar on the left.
You’ll be brought to your Issues Dashboard. The top half of the page will display donut graphs highlighting the total number of violations against the total number of governance policies, or as we call them, Advisors.
In the lower half of the page, locate Container running with uncontrolled Linux capabilities.
On the Issue page, you will see how many entities are out of compliance along with a description of the Advisor.
If you scroll down, you will see each individual violation. After clicking on an entity, you can see the full breakdown in our Recommendation page.
In every policy, we give a brief explanation of our policy.
As a part of the violation, Magalix KubeAdvisor shows you your entity in YAML format. You can identify exactly where the problem is. Search for capabilities in your securityContext to see if any are running with "SYS_ADMIN", "NET_ADMIN", or "ALL" capabilities set.
This area provides suggestions on how you can resolve the violation.
At the bottom, we also show you how long this entity has been in violation, giving you some insight into whether or not any new issues are a result of this violation.
By default, containers run with certain Linux capabilities. Adding additional capabilities, such as "SYS_ADMIN", "NET_ADMIN", or "ALL" can be quite dangerous. Magalix provides you an enabled Advisor, out of the box, to ensure we are capturing each time a pod is scheduled with these Linux capabilities. Check to see if any of your containers have Linux admin capabilities now so you can remedy any unnecessary privileges.
Empower developers to delivery secure and compliant software with trusted application delivery and policy as code. Learn more.
Automate your deployments with continuous application delivery and GitOps. Read this blog to learn more.
This article explains the differences between hybrid and multi-cloud model and how GitOps is an effective way of managing these approaches. Learn more.
Implement the proper governance and operational excellence in your Kubernetes clusters.
Comments and Responses