Product Overview of StackRox (Red Hat Advanced Cluster Security for Kubernetes)
StackRox, now known as Red Hat Advanced Cluster Security for Kubernetes (RHACS), is a comprehensive Kubernetes-native security platform acquired by Red Hat in 2021. This solution is designed to detect, manage, and mitigate security risks across the entire lifecycle of Kubernetes environments.
Key Functionality
- Full-Lifecycle Security: StackRox provides a holistic approach to security, integrating with DevOps and security tools to operationalize security for supply chains, infrastructure, and workloads. It enables teams to automate DevSecOps, shift security left, and operationalize full lifecycle application security in Kubernetes.
Key Features
Supply Chain Security
- Simplifies DevOps processes by providing developers with security context within their existing workflows.
- Integrates security into CI/CD pipelines and image registries for continuous image scanning and assurance.
- Scans images for OS- and language-level vulnerabilities.
- Utilizes existing SIEM tools and notification platforms for remediation and response.
Infrastructure Security
- Hardens the underlying infrastructure by ensuring compliance with CIS benchmarks or custom policies.
- Prevents configuration drift and analyzes RBAC rules to prevent insecure access and authorizations.
- Monitors high-risk actions such as configmap changes or container exec commands through the Kubernetes API.
Workload Security
- Prevents high-risk workloads from deploying or running using deploy-time and runtime policies.
- Hardens workloads by enforcing network policies based on the principle of least privilege.
- Uses allow-listing and behavioral modeling to detect anomalous application behavior indicative of threats at runtime.
- Monitors known good behavior to configure custom policies and alerts for anomalous and malicious behavior.
Architecture and Components
- Central: The main component that gathers and displays information, handles data persistence, API interactions, and UI access. It can manage multiple clusters from a single instance.
- Sensor: Monitors the cluster, collecting and augmenting data from the Collector. One Sensor is installed on each cluster.
- Scanner: Scans container images for vulnerabilities, analyzing all image layers and checking for known CVEs. It also identifies vulnerabilities in installed packages and dependencies for multiple programming languages.
- Collector: Collects and monitors container activities such as container runtime and network activity. One Collector is installed on each node.
- Admission Controller (optional): Interacts with the Kubernetes API server to prevent the creation of workloads that do not adhere to security policies.
Advanced Features
- Interactive Dashboards: Provides risk-prioritized views of misconfigurations and vulnerabilities, enabling easy drill-down to critical information for effective remediation and collaboration between security and DevOps teams.
- Kubernetes Role-Based Access Control (RBAC) Assessment: Continuously monitors permissions to mitigate excessive privileges and identify potential misconfigurations.
- Kubernetes Secrets Access Monitoring: Discovers and monitors Kubernetes secrets to limit unnecessary access.
- Vulnerability Management: Includes advanced capabilities such as scanning container images for language-dependent vulnerabilities and providing visibility into critical vulnerabilities in the Kubernetes platform itself.
Integration and Open Source
- StackRox integrates with various ecosystem platforms, including CRI-O container runtime, Kubernetes on Distributed Cloud Operating System (DC/OS), and Microsoft Teams for security alerts and violation data.
- Red Hat has open-sourced StackRox, allowing the community to use and contribute to the codebase on GitHub, further enhancing its capabilities and community involvement.
In summary, StackRox (RHACS) is a powerful tool for securing Kubernetes environments, offering a robust set of features to manage and mitigate security risks across the entire application lifecycle, and it continues to innovate as an enterprise-ready solution under Red Hat.