Hey everyone! I'm currently working at a cloud provider that offers managed Kubernetes services. I've been tasked with figuring out how to monitor vulnerabilities in the containers running in our clusters. Since we manage the infrastructure, I also need to keep an eye on the kube-* namespaces, like coredns and others. Has anyone found a good way to tackle this problem? I've tried using the Trivy Operator, which seemed promising, but I'm having trouble scanning the management namespaces. Any insights would be really appreciated!
2 Answers
Trivy is definitely the way to go! You just need to resolve that namespace issue first. Once it’s up and running, make sure to filter out false positives or assess if a CVE is applicable based on your actual usage. Don’t forget, you'll want to check every CVE; otherwise, it's just compliance for show and won’t enhance your security.
Is the only solution to write a scheduled script that gets the running containers with "kubectl" and then runs Trivy on them? Seems pretty manual.
Are you only looking at vulnerability scanning? While it's a vital part of security, Kubernetes security involves much more. What’s your strategy for runtime protection or handling unpatched CVEs? Just as a side note, I used to work for NeuVector, which is now open source. I'd love to show you some basics on covering a broader range of security issues without overwhelming effort!
I’m mainly focused on reporting CVEs from running containers to the operations team, especially in the management namespace. My access to servers is pretty restricted unfortunately.
I was also considering forking the Trivy Operator to make it compatible with management namespaces, but the codebase is massive!
Exactly! Once it's operational, it's crucial to evaluate each CVE properly, otherwise, it defeats the purpose. Good luck!