Kubernetes On-Prem with Amazon EKS Anywhere

Amazon EKS Anywhere allows installing and managing Kubernetes clusters on your own infrastructure, with optional support from AWS. EKS Anywhere supports full lifecycle management of multiple Kubernetes clusters that can operate completely independently of any AWS services. It provides open-source software that’s up to date and patched so you can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. EKS Anywhere is compatible with Bare Metal, CloudStack, and VMware vSphere as deployment targets.
💡TL;DR

• Amazon EKS Anywhere allows you to deploy and operate Kubernetes clusters on your own infrastructure, with optional AWS support.
• It lets you perform full lifecycle management of many Kubernetes clusters, as well as offering up-to-date and patched software for a more dependable on-premises Kubernetes environment.
• As deployment targets, EKS Anywhere is compatible with Bare Metal, CloudStack, and VMware vSphere.
• KubeArmor, which interfaces with EKS-Anywhere, offers users previously unheard-of control over system behavior. Users may limit file system access, manage process spawning inside pods, guard against privilege escalation assaults, and block access to critical assets.
• KubeArmor integration with EKS Anywhere improves cluster administration and ensures environmental safety.

Securing Amazon EKS Anywhere At Runtime With KubeArmor

Although EKS Anywhere can make cluster administration easier, the issue of protecting how Kubernetes namespaces, pods, workloads, and clusters interaction and access of shared resources remains an unsolved problem. It is imperative that workloads are protected at runtime since most of the attacks such as cryptomining, ransomware, data exfiltration, denial of service are manifest once the workloads are deployed in target k8s environment.

Amazon strongly endorses the adoption of safety protocols for EKS, in the following crucial security domains:

• Identity and Access Management
• Pod Security
• Runtime Security
• Network Security
• Regulatory Compliance
• Incident Response and Forensics

In line with the recommended safety guidelines for Amazon EKS, KubeArmor comprehensively fulfills these requirements. Getting up to speed on the Kubernetes threat environment proves to be difficult for security teams. New responsibilities for Kubernetes infrastructure and workloads lead to high overhead. Furthermore, ensuring that platform and application teams have consistency and complete visibility across environments for configurations and settings to fulfill AWS EKS security best practices can be difficult. KubeArmor helps you take care of most of these for you.

Runtime Enforcement

KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM for runtime enforcement of user applied policies. KubeArmor simplifies cloud-native runtime security by integrating seamlessly with Amazon EKS-Anywhere.

By aligning KubeArmor with EKS-Anywhere, users gain unprecedented control over system behavior. You get to:

• Restrict file system access for specific processes.
• Govern process spawning within pods.
• Prevent privilege escalation attacks
• Prevent access to sensitive assets
• Apply Process allow-listing based rules
• Apply Process based Network Access control
• And many more…

Use Cases for EKS-Anywhere

1. Prevention of Backdoor Operations:
2. Detection of unauthorized fetch-store-exec operations from compromised processes or malicious code.
3. Thwarts unauthorized network interface usage.
4. Averts unauthorized file system manipulations.
5. Halts unauthorized process execution, termination, and thread hijacking.

This integration empowers the integrity of your clusters to deliver optimal security across the Kubernetes workload.

Application Behavior

For cloud-native deployments, understanding application actions and interactions is complex. Lack of visibility can lead to security blind spots. 

KubeArmor using eBPF (Extended Berkeley Packet Filter) for observability/monitoring solves these issues by outlining a summarized view of application behavior. You can streamline your application monitoring on EKS Anywhere by letting KubeArmor highlight all these attack vectors.  

KubeArmor offers a clear look into system and application behavior, simplifying insights. It compiles and presents data, helping comprehend application actions.

1. Process Insights: Identifies executing processes within pods. Tracks processes and their parent processes.
2. File Analysis: Monitors file system access by different processes.

Network Observations: Examines Ingress/Egress connections from pods. Tracks server binds within pods.

Harden Infrastructure

KubeArmor offers robust security for Kubernetes and cloud-native platforms. By applying hardening policies from trusted frameworks like CIS, MITRE, NIST-800-53, and STIGs it streamlines workload security for Amazon EKS Anywhere environment. 

The ready-made applicability and a simple setup are added advantages. Tailored policies for your workloads help you to understand their impact on the system. This way you can make informed security decisions while maintaining functionality.

Least Permissive Access

KubeArmor adds a zero trust posture in Kubernetes clusters by allowing users to define allow-based policies. It means you get to restrict specific operations and audit all others. Authorized activities are allowed and deviations from expected behavior are denied. Such a zero trust posture protects sensitive data, prevents system breaches, and maintains cluster integrity. 

KubeArmor’s zero-trust capabilities in Amazon EKS Anywhere elevates your security stance. For instance, designated pods or containers can only invoke a predefined set of binaries during runtime. The allow-based rules are granular and atomic. Other processes fall under denial as per the default security guidelines.

Network Microsegmentation
Microsegmentation is a network security technique that allows security architects to create network security zone borders per machine in data centers and cloud deployments to separate and safeguard workloads independently. It is currently utilized on both the client network and the data center network.  Security is inherently linked to network segmentation, and KubeArmor delivers on this front. It allows isolating workloads, limiting lateral movement, and cutting the attack surface. This is done via:

• Cluster-level isolation
• Network-level Control
• IP-based segmentation
• Network Security Enforcement

Deploying KubeArmor on Amazon EKS Anywhere

STEP 1: Install KubeArmorOperator using the official kubearmor Helm chart repo.

 

STEP 2: Apply default KubeArmor configuration

 

This sets up the KubeArmor security solution on your Amazon EKS Anywhere cluster using Helm and applies default configurations for enhanced protection.

Closing Thoughts

We are excited to announce the integration of KubeArmor with Amazon EKS Anywhere. KubeArmor’s comprehensive features covering both observability and enforcement makes the management of your clusters inherently more secure. As you take charge of managing your clusters, KubeArmor ensures that your environment always remains protected.  EKS Anywhere for bare metal allows for more widespread adoption of on-premise K8s installation. The vulnerability assessment and K8s security by KubeArmor assists organizations in managing risks in cloud-native settings. Integrate security and adapt to hybrid cloud architectures with unified visibility.