Aqua Blog

Securing Kubernetes Everywhere with EKS Anywhere (EKS-A) Bare Metal

Securing Kubernetes Everywhere with EKS Anywhere (EKS-A) Bare Metal

With the release of Amazon EKS Anywhere (EKS-A) Bare Metal, Amazon Web Services has expanded the choices of infrastructure to deploy EKS Anywhere clusters using on-premise bare metal servers as a deployment target. In support of this, Aqua has worked to ensure that as customers adopt EKS Anywhere to automate Kubernetes cluster lifecycle management for on-prem deployments, they can secure the software supply chain, detect and manage risk across their clusters, and enforce consistent Kubernetes-native security and assurance policies.

Provided as open source software, the bare-metal EKS Anywhere deployment model reduces the upfront cost for customers earlier on in their adoption of Kubernetes for application delivery automation. Making use of Aqua’s robust open source portfolio, including Trivy, DevOps teams running EKS Anywhere either on-prem or in hybrid mode can also build security, assurance, and risk assessment policies into their processes. This includes scanning their Kubernetes clusters for vulnerabilities, defining admission controller policies, and identifying misconfigurations.

Customers may also have business or compliance needs that limit their ability to deploy applications to the public cloud. By providing compliance policy enforcement, consolidated visibility into where risk is the most elevated, and runtime protection across Kubernetes clusters, Aqua enables these customers to securely implement Kubernetes for orchestration and deployment of cloud native applications.

Why EKS Anywhere?

According to Gartner, more than 85% of global organizations will be running containerized applications in production by 2025, a significant increase from below 35% in 2019. Increasingly, the orchestration platform of choice for these containerized applications is Kubernetes.

As enterprises adopt Kubernetes as the primary platform for cloud native application orchestration, the value of a managed Kubernetes service such as Amazon EKS quickly becomes apparent in reducing the amount of time and expertise required to manage Kubernetes clusters.

EKS has addressed the need for customers deploying in the public cloud. However, enterprises may prefer to deploy their Kubernetes in on-premises data centers while still taking advantage of a managed service. EKS Anywhere also serves as a valuable tool to enable workload migration to the cloud.

In addition to data sovereignty concerns, enterprises will want to deploy applications in on-premises data centers for lower latency or to maximize their investments in their data center infrastructure.

Built on open source EKS-Distro components (for which we announced support in December 2020), EKS Anywhere now supports clusters running on bare metal in addition to VMware vSphere.

Advanced Kubernetes security for scale and automation

EKS Anywhere tooling helps to create the EKS clusters, configure the operating environment, update software, and handle backup and recovery. But customers are still responsible under the cloud services shared responsibility model for securing the applications that run on EKS and their implementations.

Although EKS Anywhere can make management of the clusters less challenging, the question of securing how Kubernetes namespaces, pods, and clusters communicate and access shared resources still looms. Plus, it can be a challenge to ensure that platform and application teams have consistency and full visibility across environments for configurations and settings to meet internal policies and security best practices.

Aqua’s Kubernetes Security solution takes into account the full lifecycle of applications running on Kubernetes, securing them at both the workload and infrastructure levels. It leverages native Kubernetes capabilities such as admission controllers where it makes the most sense, and augments them with more stringent controls and policy management made for security teams with no Kubernetes expertise required.

For security teams with new responsibility for Kubernetes infrastructure and workloads, getting up to speed in understanding the threat landscape of Kubernetes can also be a challenge.

This is where Aqua comes in with our comprehensive set of Kubernetes native capabilities and Kubernetes Security Posture Management (KSPM). These allow for centralized management of assurance policies for EKS clusters, assessment of configurations consistent assurance policies, and the ability to block non-compliant EKS workloads via our Kube Enforcer capabilities, whether on-premises or in the public cloud.

These capabilities incorporate functionality from Aqua’s Trivy open source project for cluster penetration testing, CIS benchmarking validation, and Kubernetes security risk reporting, now industry standards, as well as ongoing updates from the Team Nautilus research crew.

Aqua provides a comprehensive Kubernetes-native platform for securing EKS deployments including applications built and deployed on them:

  • Use open source Trivy Kubernetes scanning for an overview of all the vulnerabilities and misconfiguration issues or to scan specific workloads that are running in your cluster
  • Automate vulnerability scanning when a new pod is created with the Trivy Kubernetes Operator, with security reports are generated as Kubernetes custom resources
  • Secure the software supply chain with CI/CD pipeline integrity validation, CIS Software Supply Chain benchmarking, and integrated software code analysis and vulnerability scanning
  • Enforce and monitor consolidated Kubernetes Security Posture Management (KSPM) policies for config security & compliance (including CIS Benchmarks and best practices)
  • Identify, prioritize risk, and maintain dynamic visibility for DevSecOps into active Kubernetes clusters with Aqua Risk Explorer
  • Ensure least-privilege access for DevOps with extended Kubernetes Roles, ClusterRoles & Subjects Assessment configuration, and application scoping per cluster and across clusters
  • Enforce EKS and EKS Anywhere workload runtime protection with embedded Kube Enforcer per cluster and Drift Prevention to prevent unauthorized changes to containers at run time
  • Integrate with Aqua AWS Cloud Watch for EKS logging, forensics and audits, including Kubernetes-native visibility runtime policy enforcement
  • Leverage AWS CloudFormation Public Registry to deploy Aqua Kube Enforcers after EKS cluster creation to secure it before any apps are deployed

Closing thoughts

EKS Anywhere for bare metal opens the door to a broader adoption of both on-premise Kubernetes environments and hybrid cloud architectures. Delivered as open source with a support subscription model available, customers can build Kubernetes expertise, ensure consistent management and reliability, and address more complex use cases such as data residency or disconnected environment.

Using both Aqua’s open source Trivy for vulnerability scanning and Kubernetes security will help enterprises manage the risks of their cloud native environments wherever a Kubernetes infrastructure is deployed. With Aqua’s consolidated visibility, automated assurance policies, and consistent enforcement, customers can integrate security as their own Kubernetes maturity evolves and seamlessly migrate to hybrid cloud architectures.

Steve Coplan
Steve was the Director of Product Marketing for Strategic Partners at Aqua. His experience spanned industry research and analysis, corporate strategy, and product marketing in data security and privacy. Steve especially enjoys being at the forefront of innovation and collaborating with partners to help customers adopt pioneering technology through new approaches to managing risk and security.