Security Summary

Falco

Falco, an open-source cloud-native runtime security project, is the de facto Kubernetes threat detection engine.

Other tools you might have to be familiar with are sysdig or tracee

For all available fields, we can check https://falco.org/docs/rules/supported-fields

CIS Benchmark

Tools:

• kube-bench

• (docker bench)

Open Policy Agent and Gatekeeper

restrict images

kube-mgmt

Kyverno https://kyverno.io/

gVisor

trivy

• trivy binary https://github.com/aquasecurity/trivy/releases/latest/

• trivy docs https://github.com/aquasecurity/trivy/blob/main/docs/getting-started/installation.md

• trivy operator

  kubectl apply -f https://raw.githubusercontent.com/aquasecurity/trivy-operator/v0.12.0/deploy/static/trivy-operator.yaml

Static Analysis CI/CD

• Pod Security Policy / OPA