Advanced Cluster Security - bcgov/common-service-showcase GitHub Wiki

Advanced Cluster Security

Advanced cluster security tools are essential for organizations utilizing containerized environments and orchestration platforms. Here are several reasons why these tools are crucial:

  • Threat Detection and Prevention
  • Vulnerability Management
  • Compliance Assurance
  • Access Control and Identity Management
  • Runtime Protection
  • Network Security

Overall, advanced cluster security tools play a crucial role in securing containerized environments, helping organizations mitigate risks, ensure compliance, and protect sensitive data and applications from evolving cyber threats.

A periodic audit is recommended using RedHat ACS tool for any update or security vulnerabilities. We should at a minimum prioritize on fixing any critical or high level logged issues.

It is possible and normal that a fix is not possible/available for some cases due to various reasons, in those cases it is better to leave it and make a note for a possible future fix (When available)

RedHat ACS tool can be found at the following link https://acs.developer.gov.bc.ca/

Auditing using advanced cluster security tools typically involves several key steps to ensure that environments are compliant, secure, and resilient against potential threats.

A general guide includes;

  • Use the advanced cluster security tool to perform vulnerability scanning on container images, dependencies, and configurations
  • Identify and prioritize vulnerabilities based on severity ratings and potential impact on environment
  • Schedule regular vulnerability scans to ensure continuous monitoring and mitigation of security risks.
  • Make sure all namespaces are reviewed for any fixable critical and high level severity/risk and a corresponding action tickets is created
  • It is recommended to take screenshot before and after each fix is applied
  • Open tickets for the fixable vulnerabilities/updates with priority set according to the needs
  • Make notes for any critical CVE along with relevant namespace for which an immediate fix is not available
  • Document any new material found, which may require a future attention
  • Low and medium violations can be skipped if time does not permit
  • An immediate way to find if a fix is made is to compare results or reported issues with an open PR deployment for the same