Product In-Depth: Analysis and Event Notification

Overview

Some steps that are mentioned often are auditing and event tracing. When the status of a violation changes without any manual intervention, at a minimum there should be a notification and an event log of what happened. Many times popular 3rd party toolchain components that integrate with each don’t provide insights into their interactivity and that makes narrowing down the root cause of the issue a bit difficult.

From an administrative perspective, there should be a location to view all the policy violations that are discovered during the build time and deploy time stages. These are Magalix events that are tied to systems outside of Kubernetes operation. The person responsible for managing this may not be managing the repositories using KubeGuard so having insights into how frequent KubeGuard is catching violations might lead to some interesting metrics over time.

Event Logging

Everytime an event occurs within Magalix or Kubernetes, administrators and those responsible for their own pipelines now have access to see those events. Magalix exposes all event violations discovered from a KubeGuard API invocation and all KubeGuard admission control block events emitted from your Kubernetes API Server. In addition, each event can be further expanded to show more detailed information about the violation.

Violations Log

Any time a KubeGuard is invoked from a CI/CD job and results in a violation of a policy, a log entry is then available to view through our Console.

For day-to-day operations, administrators can monitor the frequency of new (and repeat) entries to have a sense of the state of activities regarding the code’s overall configuration and policy violation status.

Anyone who is interested in the event can double-click into it and see more details such as which Policy is in violation, which file, a link back to the initiating job, and other metadata to help you assess risk and determine the best course forward.

Admission Control Log

When KubeGuard is enabled as an admission controller, you begin blocking Policy violating entities at deploy-time. Now, you also get a log entry of that blockage within our Console able to view.

Admission Control Logs allow double-clicking into each event to view more metadata about the violation. In the detailed view, we identify the violating Policy, cluster, timestamp and evidence of the entity in violation to give you the insights you need to trace and resolve the issue.

Real Time Notifications

When new violations are discovered, those responsible need a way to get notified. Taking into account monitoring and alerting escalation tiers, Magalix integrates with existing tools so the team knows when something has gone wrong.

KubeNotifier

KubeNotifier is our answer to event notifications. By creating a KubeNotifier, messages of interest can be sent a number of different ways.  A common use case is to send events to a receiving app first, and then apply escalation natively through that app.

By applying various filters, receive only the events you care about to the messaging target of your choice. Configure a webhook so our events can be sent into a large SIEM system, centralized logging solution, or communication app.

An example Slack message from KubeNotifier

Conclusion

Managing your Cloud-native application and the infrastructure it lives upon requires visibility into many aspects, two of those being auditing and event tracing. Although keeping a record of events and getting notifications when new violations occur are two separate features, they are tied back to the idea that keeping track of these events is important, and sometimes mandatory to have. Magalix now provides event logging for greater insights when applying security steps into your existing CI/CD pipelines and event notifications when new violations are discovered. Get proactive about your cloud-native security efforts.