“VMware acquired Octarine, a privately held company in Sunnyvale, California on May 27, 2020. Octarine offers a cloud-native security platform for the complete lifecycle of applications running on Kubernetes, helping customers to protect their cloud-native apps from build to runtime. Acquiring Octarine will enable us to further expand VMware’s intrinsic security strategy to containers and Kubernetes environments by embedding the Octarine technology into the VMware Carbon Black Cloud.”

Patrick Morley, General Manager and SVP, Security Business Unit, VMware

As one of the “veterans” working in VMware around the cloud-native landscape, I found that announcement exciting. The market is evolving for the last couple of years to cloud-native architecture and running more and more cloud-native workloads in production. The cloud-native architecture characterized as declarative orchestrated architecture and involved lots of open-source bits and pieces. That opened a new security challenge that affects the entire modern application supply chain from the code to production. VMware has many security services and solutions in every part of that application supply chain as part of the VMware Tanzu portfolio. But, there wasn’t any security-focused product that aims to answer the CISO and SOC teams’ challenges in the organization.

Like other parts of the organization, the security teams need to evolve to the new architecture and workloads that popped up in the last couple of years. That will change the way those teams address security and govern the application supply chain. We saw that slow-pacing evolution in the IT department evolving the infrastructure, network, and storage engineers. Now it is time for the security teams to elevate themselves.

In this blog, we will unbox the first version of VMware Carbon Black Cloud for containers announced as GA last month. The first version main capabilities are:

  1. Prioritized Risk Assessment – Enables Security teams to focus on the most severe risks to Kubernetes environments with the ability to detect and prevent vulnerabilities before containers are deployed by scanning Kubernetes manifests at continuous integration, and on Kubernetes clusters.
  2. Governance & Enforcement – Ensures the integrity of your Kubernetes configurations through control and visibility of workloads that are deployed to your clusters. Customizable policies enforce secure configuration by blocking or alerting on exceptions.
  3. Compliance Policy Automation – Helps Security teams shift-left into the development cycle to detect and prevent vulnerabilities at build. Create automated, customizable policies to enforce secure configuration and ensure compliance with organizational requirements and industry standards such as CIS benchmarking.
  4. Custom Queries – Provides deep visibility into workload security posture and governance to ensure compliance, with the ability to freely explore Kubernetes workload configuration via customized queries.

A Deep Dive

Onboarding your cluster – the onboarding process is as easy as it can be, just run kubectl command with the service operator specs:

We can now create a group for your clusters. That group will allow you to build dashboards and enforce policies at a group level:

The next step is to create a generic secret based on your cloud service user:

And the last step is to deploy the agent itself:

Once done and the agent is installed you will see the cluster exposed on your Inventory >> K8s Cluster view:

We can already view the cluster and information about it in the Inventory >> K8s Workloads dashboard:

On that Kubernetes workloads view you will be able to see what’s running on the cluster and what is the risk for that specific workload, including a risk assessment metric:

To get a higher level dashboard with insight around the entire group of managed clusters, we can open the K8s Health dashboard on the Harden section:

The health dashboard consolidates data of risk and vulnerabilities in managed Kubernetes clusters and everything that runs in them. We can also get a detailed view by clicking on the risk tab, alongside the overview tab, which will open a comprehensive risk analysis view of our cluster in that group:

Another important capability is the policy insight and policy enforcement. we can decide what the level of policies that will be applied per cluster group is and we can also choose not to enforce them but just getting the insight:

As we can see on the print screen above everything is in “Alert” mode so nothing will be enforced but we will get an understanding of the level of vulnerabilities in those clusters according to that policy that is being applied. We can see those violations in the Enforce >> K8s policies dashboard:

Final thoughts

To summarize, the security landscape is changing, just like the infrastructure and development is. The challenge is more significant than before because of the number of entities running in every environment, on or off-premise. The declarative way of doing things should make security more straightforward. Still, the fact is that behind that declaration method there are code dependencies, libraries, open-source projects, and other components you use and in every bit of them you can find the new vector of attack. Like always in security, the game just leveled up, and we need to level up with it.