Kubernetes security multidimensional single pane of glass experience

May 9, 2022

One of the most used buzzwords in our industry is "single pane of glass".

But what does it really mean? 

In most cases, it means a single dimension – either cross-infrastructure or cross-functionality or cross-organization. It usually never AND. Most likely, it's OR. So you will need to use multiple single-pane-of-glass products 

This led to an interesting discussion between us. Is it a single-pane for all the K8s clusters? Or single-pane for all the K8s security capabilities/functionalities? Maybe both? 

When it comes to Kubernetes security, It is never a single pane of glass! It is a multidimensional experience…

At ARMO, we are trying to solve exactly this challenge with Kubescape, and today we made significant progress toward achieving it. 

In the next section, I will try to explain the different aspects of our single-pane discussion: Cross- Infrastructure, Cross-Functionality, and Cross-organization and will use Kubescape to show what we have done. 

Cross-Infrastructure

Kubescape currently shows all cluster misconfigurations, vulnerabilities, and RBAC information in a single UI. Kubescape can be applied to cloud-managed or self-managed clusters. There is no limit to how many clusters it can support.


Furthermore, you can add a single integration to your CI/CD pipeline to scan your code (from the moment you start coding [link to VS code blog])  for misconfigurations and send RBAC information for review. Kubescape users will soon be able to view these CI integrations (scanning of individual YAML files, container images, HELM charts, etc) in the same interface.

Cross-Functionality

Many open-source and commercial tools scan and secure different parts of your K8s clusters and configuration. Thus, these tools do not feed or interact with one another. As a result, you get a narrow view of one aspect of the issues, but if you don't have a cross-tool view, how can you prioritize your patching and fixing tasks? How will you decide what is urgent versus what is important?


Several vendors have released open-source tools for scanning and securing parts of your K8s configuration. Some of these vendors offer a 'single-pane-of-glass' solution that views all the features in one place. This is nice, but it does not add value as you have to deploy each open-source solution separately, so you don't get any new value other than another UI that displays the same results as a standalone. 

Today, many environments are deployed using infrastructure as code (IaC). Additionally, a great deal of open-source is used as part of your application. A security issue is never a singular one, and it can occur in other environments or across organizations. By presenting findings based on a single cluster or manifest file, you only encourage your organization to chase down misconfigurations and patch vulnerable images. To me, this is the real benefit of a single-pane-of-glass - not just infrastructure or functionality related, but something that generates additional value out of these two.

Kubescape- your multi-dimensional K8s experience 

ARMO aims to create a solution that allows users to secure K8s clusters from development to production. Hence, we built Kubescape with a "single-pane-of-glass" mindset, aiming to answer all of the points mentioned above.  

Kubescape today offers a true multidimensional single-pane-of-glass experience - 

  • Cross-Infrastructure - Add your clusters from different cloud providers to Kubescape - AKS, GKE, EKS, Openshift
  • Cross Organization - Kubescape allows you to enforce the same framework, guidelines, and best practices across different dev teams, from the coding phase through production (VS code link). 
  • Cross-Functionality Scan API server configurations (managed and unmanaged), scan worker nodes configurations, scan K8s definition files (YAML files, HELM charts), RBAC visualizer, and scan container images for vulnerabilities.

A shiny new dashboard

I saved the best for last...

In the new Kubescape release, we introduced a new single-pane-of-glass dashboard for K8s security. 

The new dashboard will reflect your E2E posture and vulnerabilities status. It will show things like:

  • Clusters by priority 
  • Top failed controls – across all the clusters 
  • Top CVEs – vulnerabilities that repeat in your organization
  • And more. 

Kubescape helps you understand the most urgent tasks to complete, not just on one cluster or capability, but across all the findings.

Kubescape dashboard
Stay up to date
Close
image