Kubernetes Services Overview
Executive Summary
Kubernetes is a complex system made up of dynamic components (e.g., physical nodes, pods, containers, proxy, schedulers) that can affect the overall health of your cloud environment. There are many interdependencies between these moving parts, which means that a solid monitoring strategy is critical, especially in sophisticated production environments.
Logicworks’ Kubernetes Services perform the crucial task of monitoring the physical infrastructure of your Kubernetes configuration, while also providing options for multi-cluster monitoring and visibility into container and application health. Our innovative system of metrics and automated alerts supplies valuable information that makes monitoring easy for you. Through proactive load testing, automated failovers, and integrations with modern security and monitoring tools, Logicworks has your Kubernetes environment covered.
Logicworks Kubernetes Capabilities
While the benefits of Kubernetes are well known, running Kubernetes natively in the cloud can be extremely difficult. To address this, Logicworks offers full integration with Amazon Elastic Kubernetes Service (EKS) or Azure Kubernetes Service (AKS) as managed services.
Logicworks has established a proven discovery and design methodology to build and/or integrate with AWS Elastic Kubernetes Service (EKS) or Azure Kubernetes Service (AKS) environments on a custom basis for each client. Our Solutions Architects perform an in-depth technical discovery that includes collaborative in-person sessions with customer application teams, as well as automated discovery. The result of discovery is an Architecture Design, presented in the form of our proprietary Cloud Solution Workbook, which is a comprehensive blueprint covering all aspects of the cloud design.
Cloud Architectures for Kubernetes
Logicworks’ cloud architectures for Kubernetes cover the following infrastructure components:
EKS (AWS)
- Virtual Private Cloud (VPC) Design
- EKS subnets
- Kubernetes standard tagging protocols
- Security groups
- Cluster access
- EKS Cluster Deployment
- Deployments of clusters via Terraform
- Define & deploy nodegroups
- Cluster core
- Autoscaling Controller Deployment & Integration
- Enable Container Insights
- Configure Cluster Access (role-based access control)
AKS (Azure)
- Azure Virtual Network (VNet) Design
- AKS subnets
- Kubernetes standard tagging protocols
- Network security groups
- Cluster access
- AKS Cluster Deployment
- Deployments of clusters via Terraform
- Define & deploy node pools
- Cluster core
- AKS Cluster Autoscaler
- Enable Container Insights
- Configure Cluster Access (role-based access control)
Third Party Added Services
Logicworks procures, installs, and/or manages third-party ISV tools within the Kubernetes environment to enforce governance for security operations and cost management. Depending on your cloud service provider, these tools can include:
EKS (AWS)
- Alert Logic
- F5 Application Infrastructure Protection
- CloudHealth
AKS (Azure)
- Alert Logic
- Container Insights for Azure Monitor
Integration with Cloud-Native PaaS Services
Logicworks configures Kubernetes integration with common cloud-native platform services, including:
EKS (AWS)
- Networking
- Identity & Access Systems
- AWS SSO
- Security Groups & Roles
- Container Registry
- Secrets Manager
AKS (Azure)
- Networking
- Identity & Access Systems
- Azure AAD Integration
- Network Security Groups & Roles
- Container Registry
- Azure Key Vault
Security & Compliance
By default, Logicworks deploys secure clusters that are not accessible from the public internet. Logicworks can also use Kyverno as an admission controller to enforce pre-determined security rules. By using Kyverno and a set of baseline policies, Logicworks is able to significantly elevate the security posture of all of your clusters and the resources they contain. We’re able to work directly with you to craft custom policies that meet your specific needs and expectations.
Kyverno
Kyverno is an admission controller that Logicworks uses to intercept requests to the Kubernetes API server, which are then evaluated to ensure that they meet a defined set of security policies. If the requests do not meet the requirements of the Kyverno policies, they are disallowed. These policies can validate, mutate, and generate Kubernetes resources, as well as ensure OCI image supply chain security.
Customizable Security Policies
Logicworks collaborates with you to set Kyverno admission control policies that meet your security and compliance requirements. These customizable policies provide a markedly increased level of security to your Kubernetes clusters.
Kyverno Baseline Policies
|
Disallow Capabilities |
Any additional capabilities beyond what is included in the policy will be disallowed. |
|
Disallow Host Namespaces |
Host namespaces (process id namespace, inter-process communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. |
|
Disallow hostPath |
Hostpath volumes let pods use host directories and volumes in containers. using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostpath volumes are in use. |
|
Disallow hostPorts |
Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostport` field is unset or set to `0`. |
|
Disallow hostProcess |
Windows pods offer the ability to run hostprocess containers which enables privileged access to the windows node. privileged access to the host is disallowed in the baseline policy. hostprocess pods are an alpha feature as of kubernetes v1.22. This policy ensures the `hostprocess` field, if present, is set to `false`. |
|
Disallow Privileged Containers |
Privileged mode disables most security mechanisms and must not be allowed. This policy ensures pods do not call for privileged mode. |
|
Disallow procMount |
The default/proc masks are set up to reduce attack surface and should be required. This policy ensures nothing but the default procmount can be specified. Note that in order for users to deviate from the `default` procmount requires setting a feature gate at the api server. |
|
Disallow SELinux |
SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `selinuxoptions` field is undefined. |
|
Restrict AppArmor |
On supported hosts, the ‘runtime/default’ apparmor profile is applied by default. The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. This policy ensures pods do not specify any other apparmor profiles than `runtime/default` or `localhost/*`. |
|
Restrict Seccomp |
The seccomp profile must not be explicitly set to unconfined. This policy, requiring kubernetes v1.19 or later, ensures that seccomp is unset or set to `runtimedefault` or `localhost`. |
|
Restrict sysctls |
Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed “safe” subset. A sysctl is considered safe if it is namespaced in the container or the pod, and it is isolated from other pods or processes on the same node. This policy ensures that only those “safe” subsets can be specified in a pod. |
Cloud Reliability Platform – Security Tools
By default, Logicworks deploys secure clusters not accessible from the public internet.
Logicworks’ Cloud Reliability Platform is integrated with our Kubernetes services to provide a comprehensive suite of modern security tooling that secures your Kubernetes infrastructure. Security alerts are monitored 24×7 by the Logicworks NOC team, ensuring that incidents are reviewed, addressed, and that your Kubernetes environment is continuously safeguarded.
- F5 Application Infrastructure Protection (AWS only)
- Uncovers security and compliance risks across containers, Kubernetes, and AWS Fargate
- Provides real-time context to enable quick response
- Alert Logic Agent Container
- Collects network traffic from containers
- Network IDS (Intrusion Detection System) analyzes network traffic and generates events for anything deemed suspicious or malicious
- Sends incident reports that can be viewed in the Alert Logic console
Monitoring Essentials
Understanding your CPU and RAM utilization, network latency, and disk I/O is critical to maintaining your Kubernetes environment. With EKS or AKS configuration as the foundational base, Logicworks provides physical resource metrics as a standard part of our Kubernetes services. Metrics and alerts for pod memory utilization, CPU utilization, and cluster failed node counts are all included at the base-level of our Managed Services. These essential monitoring tools come at no extra cost to you with Logicworks as your Managed Service Provider.
Autoscaling
Logicworks collects usage statistics from each of your kubelets, which gives us insight into CPU and memory metrics and trends. The Kubernetes Cluster Autoscaler uses these metrics to automatically scale the workload and resources to match customer demand. If your environment experiences spikes in client connections, auto-scaling provides extra headroom in the cluster to ensure that you have nodes that are readily available.
Expert Consultation
Logicworks’ Solutions Architects will evaluate and assess your cloud or existing Kubernetes infrastructure to determine what opportunities for improvement may be available. The discovery phase of our assessment thoroughly examines your current tooling and requirements to map the best possible Kubernetes solution.
This holistic review provides valuable insight into what monitoring solutions make the most sense for your situation. Our team of expert engineers then implement the plan, and you can rest easy knowing that Logicworks has secured your container architecture.
Talk to a Cloud Expert
Logicworks is a leading provider of platform driven cloud operations for AWS. Contact us today to learn how we can help you onboard to the cloud more efficiently, operate reliably with elevated security, and optimize as you scale.
