×

Security vulnerabilities in your environment might be exploited by an attacker to perform unauthorized actions such as carrying out a denial of service attack, executing remote code, or gaining unauthorized access to sensitive data. Therefore, the management of vulnerabilities is a foundational step towards a successful Kubernetes security program.

Vulnerability management process

Vulnerability management is a continuous process to identify and remediate vulnerabilities. Red Hat Advanced Cluster Security for Kubernetes helps you to facilitate a vulnerability management process.

A successful vulnerability management program often includes the following critical tasks:

  • Performing asset assessment

  • Prioritizing the vulnerabilities

  • Assessing the exposure

  • Taking action

  • Continuously reassessing assets

Red Hat Advanced Cluster Security for Kubernetes helps organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. It provides organizations with the contextual information they need to prioritize and act on vulnerabilities in their environment more effectively.

Performing asset assessment

Performing an assessment of an organization’s assets involve the following actions:

  • Identifying the assets in your environment

  • Scanning these assets to identify known vulnerabilities

  • Reporting on the vulnerabilities in your environment to impacted stakeholders

When you install Red Hat Advanced Cluster Security for Kubernetes on your Kubernetes or OpenShift Container Platform cluster, it first aggregates the assets running inside of your cluster to help you identify those assets. RHACS allows organizations to perform continuous assessments on their OpenShift Container Platform and Kubernetes clusters. RHACS provides organizations with the contextual information to prioritize and act on vulnerabilities in their environment more effectively.

Important assets that should be monitored by the organization’s vulnerability management process using RHACS include:

  • Components: Components are software packages that may be used as part of an image or run on a node. Components are the lowest level where vulnerabilities are present. Therefore, organizations must upgrade, modify or remove software components in some way to remediate vulnerabilities.

  • Images: A collection of software components and code that create an environment to run an executable portion of code. Images are where you upgrade components to fix vulnerabilities.

  • Nodes: A server used to manage and run applications using OpenShift or Kubernetes and the components that make up the OpenShift Container Platform or Kubernetes service.

RHACS groups these assets into the following structures:

  • Deployment: A definition of an application in Kubernetes that may run pods with containers based on one or many images.

  • Namespace: A grouping of resources such as Deployments that support and isolate an application.

  • Cluster: A group of nodes used to run applications using OpenShift or Kubernetes.

RHACS scans the assets for known vulnerabilities and uses the Common Vulnerabilities and Exposures (CVE) data to assess the impact of a known vulnerability.

Prioritizing the vulnerabilities

Answer the following questions to prioritize the vulnerabilities in your environment for action and investigation:

  • How important is an affected asset for your organization?

  • How severe does a vulnerability need to be for investigation?

  • Can the vulnerability be fixed by a patch for the affected software component?

  • Does the existence of the vulnerability violate any of your organization’s security policies?

The answers to these questions help security and development teams decide if they want to gauge the exposure of a vulnerability.

Red Hat Advanced Cluster Security for Kubernetes provides you the means to facilitate the prioritization of the vulnerabilities in your applications and components.

Assessing the exposure

To assess your exposure to a vulnerability, answer the following questions:

  • Is your application impacted by a vulnerability?

  • Is the vulnerability mitigated by some other factor?

  • Are there any known threats that could lead to the exploitation of this vulnerability?

  • Are you using the software package which has the vulnerability?

  • Is spending time on a specific vulnerability and the software package worth it?

Take some of the following actions based on your assessment:

  • Consider marking the vulnerability as a false positive if you determine that there is no exposure or that the vulnerability does not apply in your environment.

  • Consider if you would prefer to remediate, mitigate or accept the risk if you are exposed.

  • Consider if you want to remove or change the software package to reduce your attack surface.

Taking action

Once you have decided to take action on a vulnerability, you can take one of the following actions:

  • Remediate the vulnerability

  • Mitigate and accept the risk

  • Accept the risk

  • Mark the vulnerability as a false positive

You can remediate vulnerabilities by performing one of the following actions:

  • Remove a software package

  • Update a software package to a non-vulnerable version