Evaluate security risks

Examine a real-time snapshot of all the risks across your cluster.

1 minute read

The StackRox Kubernetes Security Platform assesses risk across your entire environment and ranks your running deployments according to their security risk. It also provides details about vulnerabilities, configurations, and runtime activity that require immediate attention.

You can analyze all risks in the Risk view and take corrective action.

To evaluate security risks across clusters:

  1. Select Risk from the left-hand navigation menu.

Risk Overview
Risk Overview

The Risk view lists all deployments from all clusters, sorted by a multi-factor risk metric based on policy violations, image contents, deployment configuration, and other similar factors. Deployments at the top of the list present the most risk.

Risk view shows list of deployments with following attributes for each row:

  • Name: the name of the deployment.
  • Created: the creation time of the deployment.
  • Cluster: the name of the cluster where deployment is running.
  • Namespace: the namespace in which the deployment exists.
  • Priority: a priority ranking based on severity and risk metrics.

In the Risk view, you can:

  • select a column heading to sort the violations in ascending or descending order.
  • use the filter bar to filter violations. See the Use local page filtering topic for more information.
  • create a new policy based on the filtered criteria, if you are using the StackRox Kubernetes Security Platform version 3.0.45 or newer.

To view more details about the risks for a deployment, select a deployment in the Risk view. See the View risk details topic for more information.

Create policy from Risk view

While evaluating risks in your deployments in the Risk view, when you apply local page filtering, you can create new security policies based on the filtering criteria you are using.

To create security policies from the Risk view, you need the StackRox Kubernetes Security Platform version 3.0.45 or newer.

To create a new policy from the Risk view:

  1. Select Risk from the left-hand navigation menu.
  2. Apply local page filtering criteria for which you want to create a policy.
  3. Select New Policy and fill in the required fields to create a new policy. For more information about the required and other policy fields, see the Create policy from System policies view section.

Based on the filtering criteria you apply, not all criteria are directly applied to the new policy. The StackRox Kubernetes Security Platform:

  1. Converts the Cluster, Namespace, and Deployment filters to equivalent policy scopes.

    • When you use local page filtering on the Risk View:
      • it combines the search terms within the same category with an OR operator. For example, if the search query is Cluster:A,B, the filter matches deployments in cluster A or cluster B.
      • it combines the search terms from different categories with an AND operator. For example, if the search query is Cluster:A+Namespace:Z, the filter matches deployments in cluster A and in namespace Z.
    • When you add multiple scopes to a policy, the policy matches violations from any of the scopes.
    • For example, if you search for (Cluster A OR Cluster B) AND (Namespace Z) it results in two policy scopes, (Cluster=A AND Namespace=Z) OR (Cluster=B AND Namespace=Z).
  2. Drops or modifies filters that don’t directly map to policy criteria. The StackRox Kubernetes Security Platform reports the dropped filters. The following table lists how the filtering search attributes maps to the policy criteria:

    Search attributePolicy criteria
    Add CapabilitiesAdd Capabilities
    AnnotationDisallowed Annotation
    CPU Cores LimitContainer CPU Limit
    CPU Cores RequestContainer CPU Request
    CVECVE
    CVE Published On✕ Dropped
    CVE Snoozed✕ Dropped
    CVSSCVSS
    Cluster→ Converted to scope
    ComponentImage Component (name)
    Component VersionImage Component (version)
    Deployment→ Converted to scope
    Deployment Type✕ Dropped
    Dockerfile Instruction KeywordDockerfile Line (key)
    Dockerfile Instruction ValueDockerfile Line (value)
    Drop Capabilities✕ Dropped
    Environment KeyEnvironment Variable (key)
    Environment ValueEnvironment Variable (value)
    Environment Variable SourceEnvironment Variable (source)
    Exposed Node Port✕ Dropped
    Exposing Service✕ Dropped
    Exposing Service Port✕ Dropped
    Exposure LevelPort Exposure
    External Hostname✕ Dropped
    External IP✕ Dropped
    Image✕ Dropped
    Image Command✕ Dropped
    Image Created TimeDays since image was created
    Image Entrypoint✕ Dropped
    Image LabelDisallowed Image Label
    Image OSImage OS
    Image Pull Secret✕ Dropped
    Image RegistryImage Registry
    Image RemoteImage Remote
    Image Scan TimeDays since image was last scanned
    Image TagImage Tag
    Image Top CVSS✕ Dropped
    Image User✕ Dropped
    Image Volumes✕ Dropped
    Label→ Converted to scope
    Max Exposure Level✕ Dropped
    Memory Limit (MB)Container Memory Limit
    Memory Request (MB)Container Memory Request
    Namespace→ Converted to scope
    Namespace ID✕ Dropped
    Pod Label✕ Dropped
    PortPort
    Port ProtocolProtocol
    Priority✕ Dropped
    PrivilegedPrivileged
    Process AncestorProcess Ancestor
    Process ArgumentsProcess Arguments
    Process NameProcess Name
    Process Path✕ Dropped
    Process Tag✕ Dropped
    Process UIDProcess UID
    Read Only Root FilesystemRead-Only Root Filesystem
    Secret✕ Dropped
    Secret Path✕ Dropped
    Service Account✕ Dropped
    Service Account Permission LevelMinimum RBAC Permission Level
    Toleration Key✕ Dropped
    Toleration Value✕ Dropped
    Volume DestinationVolume Destination
    Volume NameVolume Name
    Volume ReadOnlyWritable Volume
    Volume SourceVolume Source
    Volume TypeVolume Type

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.