Container expertise has gained traction amongst companies as a result of elevated effectivity it offers. On this regard, organizations broadly use Kubernetes for deploying, scaling, and managing containerized functions. Organizations ought to audit Kubernetes to make sure compliance with rules, discover anomalies, and establish safety dangers. The Wazuh open supply platform performs a crucial position in monitoring Kubernetes and different parts of a corporation’s infrastructure.
What’s Kubernetes?
Kubernetes is an open supply container administration answer that automates the deployment and scaling of containers and in addition manages the life cycle of containers. It organizes containers into logical items for easy administration and discovery. Kubernetes extends how we scale containerized functions in order that we might use a very persistent infrastructure.
You possibly can construct cloud-native functions based mostly on microservices with Kubernetes. Lovers view Kubernetes because the cornerstone of utility modernization. It permits the containerization of present functions, permitting builders to create functions rapidly.
The complexity of working applications grows after they unfold throughout a number of servers and containers. To deal with this complexity, Kubernetes gives an open supply API that manages the place and the way these containers will execute. Kubernetes incorporates load balancing, controls service discovery, retains observe of useful resource allocation, and scales based mostly on compute use. Moreover, it assesses the situation of every useful resource and offers applications the flexibility to self-fix by replicating containers or restarting them routinely.
Auditing Kubernetes
There are a number of insurance policies that organizations ought to adjust to, relying on the jurisdiction and sector through which they function. A few of these insurance policies improve the cyber resilience of the IT infrastructure, for instance, PCI DSS and GDPR. The Kubernetes cluster is a part of the IT infrastructure, and organizations ought to guarantee they adjust to insurance policies and safety greatest practices the place relevant.
One of many necessities that seem in most IT coverage paperwork is the log retention coverage. Log retention insurance policies dictate how lengthy you must retailer logs. You should use these logs to establish threats throughout lively monitoring and incident investigation.
Directors work together with the Kubernetes cluster through the Kubernetes API, and the cluster can log all API requests and responses. You possibly can detect uncommon or undesirable API calls from the Kubernetes audit logs. In additional element, you will get alerts for occasions resembling authentication failure, container creation, modification, and deletion. The Kubernetes audit logging function is disabled by default. Subsequently, you must take some needed steps to show it on.
Utilizing Wazuh to watch and archive Kubernetes audit logs
You could monitor the audit logs to detect safety threats and anomalies. Moreover, you must index the logs to seek for related info throughout an incident investigation. Wazuh screens, shops, and indexes the Kubernetes audit logs. Wazuh is an open supply unified XDR and SIEM platform. It’s commercially free and has over 10 million annual downloads.
The Wazuh improvement group has an in depth information on auditing Kubernetes with Wazuh. The information particulars steps on the right way to do the next:
- Configure the Wazuh server to obtain and course of the Kubernetes audit logs.
- Allow audit logs on the Kubernetes cluster and ahead them to the Wazuh server.
You possibly can create customized guidelines to set off alerts when Wazuh detects particular occasions within the Kubernetes audit log. For instance, you’ll be able to create guidelines to set off alerts when sources are created or deleted on the Kubernetes cluster.
 |
| Determine 1: Alerts triggered from Kubernetes audit logs on the Wazuh dashboard |
You possibly can configure Wazuh to show all archived logs on the dashboard. These are logs of Kubernetes occasions that didn’t set off an alert.
 |
| Determine 2: Kubernetes audit log archive on the Wazuh dashboard |
The Wazuh indexer is a extremely scalable full-text search and analytics engine. The indexer indexes and shops the Kubernetes audit logs to offer you real-time information search and analytics capabilities. The Wazuh indexer will increase effectivity throughout an incident investigation when you must retrieve related information from the audit logs.
Abstract
Kubernetes is broadly used to deploy, scale, and handle functions. You must preserve Kubernetes audit logs for safety and compliance functions. The audit logs include information that may point out uncommon or undesirable actions. Wazuh is an open supply XDR and SIEM answer that screens, archives, and queries Kubernetes audit logs to establish safety threats and different anomalies. Wazuh additionally protects different parts of an IT infrastructure, together with endpoints and cloud workloads.
Wazuh has a big neighborhood of customers who assist one another and assist to enhance the product. You possibly can be a part of the Wazuh neighborhood to contribute to the product and request assist for any points you will have.
