Skip to content

Latest commit

 

History

History
71 lines (39 loc) · 3.28 KB

module-5-quarantine-kspm.md

File metadata and controls

71 lines (39 loc) · 3.28 KB
Raw

Module 5 - Quarantine Infected Workloads and Visualize KSPM

Quarantine a Workload

Suppose you have a compromised workload in your environment and want to conduct further investigation on it. In that case, you should not terminate the workload but isolate it, so it will not be able to cause damage or spread laterally across your environment. In this situation, you should quarantine the pod by applying a security policy to it that will deny all the egress and ingress traffic and log all the communications attempts from and to that pod.

We have the quarantine policy created in the security tier. This policy has a label selector of quarantine = true. Let's see how it works.

  1. Execute the following commands from the attacker pod (if you did quit from its shell, it got deleted. Create it again if it's the case.).

    • Test the connection to a local service

      curl -m3 http://vote.vote

    • Test the connectivity with the Kubernetes API

      curl -m3 -k https://kubernetes:443/versions

    • Test the connectivity with the internet

      curl -m3 http://neverssl.com

  2. Label the attacker pod with quarantine = true.

    kubectl label pod attacker quarantine=true

  3. Repeat the tests from step 1. Now, as you can see, the cannot establish communication with any of the destinations.

Visualize security posture of your Kubernetes cluster

Timeline

What changed, who did it, and when? This information is critical for security. Native Kubernetes doesn’t provide an easy way to capture audit logs for pods, namespaces, service accounts, network policies, and endpoints. The Calico Cloud timeline provides audit logs for all changes to network policy and other resources associated with your Calico Cloud deployment.

  1. On the Calico Cloud GUI, navigate to Activity and explore the entries in the Timeline.

timeline

Compliance Reports

Continuous compliance means employing a continual audit that shows what traffic was allowed in your infrastructure, what traffic was denied and why, and logs of who was trying to change what and whether those changes went into effect. Continuous compliance allows teams to pinpoint any point in time, say with reasonable certainty, whether the organization was compliant, and provide documentation to prove it. Calico’s compliance reports visually describe the security controls in place in an easy-to-understand policy view. Calico also shows all workloads that are in-scope and out-of-scope with your policy.

  1. On the Calico Cloud GUI, navigate to Compliance.

compliance-reports

  1. Explore the Compliance Reports.

cis-benchmark

Congratulations! You completed this workshop!

➡️ Module 6 - Clean up

⬅️ Module 4 - Zero-Day Attacks Detection with Threat Defence
↩️ Back to Main