Runtime security for Amazon EKS with Araali
Enterprises have rapidly adopted Kubernetes. Yet for most teams, Kubernetes runtime security remains a challenge. Many enterprises use managed Kubernetes services such as Amazon Elastic Kubernetes Service (Amazon EKS) and believe that AWS is fully responsible for the security of their Kubernetes deployment. In reality, AWS is accountable only for the master node. The enterprise is still responsible for securing worker nodes, pods, Kubernetes networking, and container images.
Most enterprise customers focus their time on container image scanning in Continuous Integration Continuous Delivery (CI/CD), but they don’t have a good solution for securing their runtime. Araali Runtime Security, available in AWS Marketplace, enables customers to fulfill your shared responsibility by using a single-command runtime security for any EKS cluster. Araali automatically organizes your runtime by namespace or apps and protects every namespace or app from advanced threats, lateral movements, and exfiltration attempts. It does all of this without requiring you to write any policy or security YAML code.
In this post, I show you how to procure Araali, deploy it to an EKS cluster, create allow lists for a namespace, and get alerts.
- An EKS cluster and a control plane machine with kubectl installed and pointing to that cluster. kubectl is a Kubernetes command-line tool.
- Araali Runtime Security deployed to your AWS account
To deploy Araali, navigate to Araali Runtime Security in AWS Marketplace. In the upper right, choose Continue to Subscribe, and then choose Subscribe. You’re redirected to the Araali website to complete the user registration.
Registering for Araali provisions a SaaS account. When complete, you receive a notification email. With your SaaS account, you can deploy Araali to an EKS cluster, as detailed in the following steps.
- Open a browser and go to http://console.araalinetworks.com. Log in with the email address you registered with.
- To complete authentication into the Araali console, you receive a login email from Araali. Open that email and select Approve.
- In the Araali console left sidebar, choose Support. Then choose Downloads.
- In the Config section, download the yaml file. Copy the YAML; file to the machine running kubectl.
- In a terminal window, make sure kubectl is pointing to the K8s cluster you want to protect. It doesn’t matter if your application is already running. To deploy Araali to the cluster, in kubectl, run the following commands.
# Deploy Araali DaemonSet
Kubectl apply -f araali_k8s.yaml
# Check if DaemonSet and AraaliFW containers are up and running
Kubectl get pods -A
Checking a cluster’s runtime connections
In the Araali console left navigation, under Runtime, choose Zones. Araali autodetects your cluster and puts it in a zone on the Zones page. This cluster is in poc-k8s. The following screenshot shows the Zones page with two ingress points, world and internal, one zone poc-k8s and its services, and 12 points of egress.
To check what is coming into your cluster and what is going out, follow these steps.
- In the box marked pos-k8s in the top left, choose the magnifying glass icon. This lists all of the namespaces in the middle column, with ingress connections on the left side and egress from the right side.
- Go through the application diagram and make sure that all of the connections make sense to you. If a connection does not make sense, it could be due to application or security misconfiguration or a bad actor. Araali, by default, runs in the visibility mode, where it will not disrupt or drop the connection.
Creating allow-list policies for a namespace
To navigate into the namespace, in the upper left, choose the magnifying glass icon in its box. The Policies page in the console shows all of the namespace’s discovered policies. Activities appearing in red are new, alerts, or both; activities appearing in green are accepted policies. The following screenshot shows my namespace with ingress of one accepted policy and two new connections in red as well as an egress of two policies and two alerts.
To verify and accept policies, follow these steps.
- Choose the red line for each connection that you want to approve.
- Choose the check mark. The line turns green.
- Validate and accept all approved connections. This converts them to policies.
That’s it—you have created allow-list policies for your app!
With this workflow, Araali automates the task of writing network security policy and managing its lifecycle. After these policies are discovered, the app can use them on any cluster or even other clouds.
After you have created the allowed policies, any deviation appears as an alert on the Policies page.
- To view alerts, in the Araali console, navigate to the Policies page. Alerts appear as red lines.
- To snooze or ignore an alert until later, select the specific alert. In the upper right, choose the clock icon.
- To accept an alert as a policy, select the link. In the upper right, choose the checkmark icon.
- To investigate an alert, select the specific alert. In the upper right, choose the magnifying glass. It will give you all the contextual information about the flow.
- To view a full audit for your microservice communication and the snoozed alerts on Araali’s SaaS backend, in the left navigation, choose Alerts.
To uninstall Araali, delete the Araali DaemonSet. To do that, in a terminal window, run the following command.
kubectl delete -f araali_k8s.yaml
In this post, I showed how to use Araali to get visibility and security for your EKS clusters. I also showed how to navigate the Araali user interface to accept policies and get alerts.
The content and opinions in this post are those of the third-party author, and AWS is not responsible for the content or accuracy of this post.
About the author
Ashish Kar, Head of Product Management and Marketing, Araali Network
Ashish has over 15 years of experience building products and businesses anchored in strong strategy, customer experience, rapid prototyping, and testing. He has led teams and new product development at McKinsey, Hewlett-Packard, and Symantec. At Araali, he works closely with Engineering and leads product management and marketing to drive product features and deliver customer value.
Ashish earned B.Tech from the IIT, Kanpur, and MS in Engineering from Massachusetts Institute of Technology.