When you select a deployment in the Risk view, the Risk Details open in a panel on the right. The Risk Details panel shows detailed information grouped by multiple tabs.
The Risk Indicators tab of the Risk Details panel explains the discovered risks.
The Risk Indicators tab includes following sections:
Policy Violations: the names of the policies that are violated for the selected deployment.
Suspicious Process Executions: suspicious processes, arguments, and container names in which the process ran.
Image Vulnerabilities: images including total CVEs with their CVSS scores.
Service Configurations: aspects of the configurations that are often problematic, such as read-write (RW) capability, whether capabilities are dropped, and the presence of privileged containers.
Service Reachability: container ports exposed inside or outside the cluster.
Components Useful for Attackers: discovered software tools that are often used by attackers.
Number of Components in Image: the number of packages found in each image.
Image Freshness: image names and age (for example,
285 days old).
RBAC Configuration: the level of permissions granted to the deployment in Kubernetes Role-Based Access Control (RBAC).
Not all sections are visible in the Risk Indicators tab. The StackRox Kubernetes Security Platform displays only relevant sections affecting the selected deployment.
The sections in the Deployment Details tab of the Deployment Risk panel provide more information so you can make appropriate decisions on how to address the discovered risk.
- Deployment ID: an alphanumeric identifier for the deployment.
- Namespace: the Kubernetes or OpenShift namespace in which the deployment exists.
- Updated: a time stamp with date for when deployment was updated.
- Deployment Type: the type of deployment, for example
- Replicas: the number of pods deployed for this deployment.
- Labels: the key-value labels attached to the Kubernetes or OpenShift application.
- Cluster: the name of the cluster where deployment is running.
- Annotations: the Kubernetes annotations for the deployment.
- Service Account: represents an identity for processes that run in a pod. When a process is authenticated through a service account, it can contact the Kubernetes API server and access cluster resources. If a pod doesn’t have an assigned service account, it gets the default service account.
- Image Name: the name of the image that’s deployed.
- CPU Request (cores): the number of CPUs requested by the container.
- CPU Limit (cores): the maximum number of CPUs the container can use.
- Memory Request (MB): the memory size requested by the container.
- Memory Limit (MB): the maximum amount of memory the container can use without being killed.
- Name: the name of the mount.
- Source: the path from where the data for the mount comes.
- Destination: the path to which the data for the mount goes.
- Type: the type of the mount.
- Secrets: the names of Kubernetes secrets used in the deployment, and basic details for secret values that are X.509 certificates.
- Privileged: lists
trueif the container is privileged.
The Process Discovery tab provides a comprehensive list of all binaries that have been executed in each container in your environment, summarized by deployment.
- Binary Name: the name of the binary which was executed.
- Container: the container in the deployment in which the process executed.
- Arguments: specific arguments that were passed with the binary.
- Time: the date and time of the most recent time the binary was executed in a given container.
- Pod ID: the identifier of the pod in which the container resides.
- UID: the Linux user identity under which the process executed.
Process Name:<name> query in the filter bar to find specific
processes. See the Use local page filtering
topic for more information.
The Event Timeline section in the Process Discovery tab provides an overview of events for the selected deployment. It shows the number of policy violations, process activities, and container termination or restart events.
You need the StackRox Kubernetes Security Platform version 3.0.43 and newer to view the Event Timeline.
You can select the Event Timeline to view more details.
The Event Timeline modal box shows events for all pods for the selected deployment. The events on the timeline are categorized as:
- Process activities (process in and out of the baseline)
- Policy violations
- Container restarts and terminations
The events appear as icons on a timeline. To see more details about an event, hold your mouse pointer over the event icon. The details appear in a tooltip.
- Select Show Legend to see which icon corresponds to which type of event.
- Select Export > Download PDF or Export > Download CSV to download the event timeline information.
- Select the Show All drop-down menu to filter which type of events are visible on the timeline.
- Select the expand icon to see events separately for each container in the selected pod.
All events in the timeline are also visible in the minimap control at the bottom. The minimap controls the number of events visible in the event timeline. You can change the events shown in the timeline by modifying the highlighted area on the minimap. To do this, decrease the highlighted area from left or right sides (or both), and then drag the highlighted area.
- When containers restart, the StackRox Kubernetes Security Platform:
- shows information about container termination and restart events for up to
10 inactive container instances for each container in a pod. For example,
for a pod with two containers
sidecar, the StackRox Kubernetes Security Platform keeps activity for up to 10
appinstances and up to 10
- doesn’t track process activities associated with the previous instances of the container.
- shows information about container termination and restart events for up to 10 inactive container instances for each container in a pod. For example, for a pod with two containers
- The StackRox Kubernetes Security Platform only shows the most recent execution of each (process name, process arguments, UID) tuple for each pod.
- The StackRox Kubernetes Security Platform shows events only for the active pods.
- The StackRox Kubernetes Security Platform adjusts the reported timestamps based on time reported by
Kubernetes and the Collector. Kubernetes timestamps use second-based
precision, and it rounds off the time to the nearest second. However, the
Collector uses more precise timestamps. For example, if Kubernetes reports the
container start time as
10:54:48, and the Collector reports a process in that container started at
10:54:47.5349823, the StackRox Kubernetes Security Platform adjusts the container start time to
You can use Tags and Comments to specify what’s happening with processes to keep your team up to date.
You need the StackRox Kubernetes Security Platform version 3.0.42 or newer to add and view Tags and Comments. To upgrade from an older version, see the Upgrade StackRox section.
You can edit and delete your own comments.
To delete comments from other users, you need a role with
writepermission for the
To add and remove comments or tags, you need a role with
writepermission for the resource you are modifying. For example, to add or remove comments on processes, your role must have
writepermission for the
See Manage role based access control to know more about roles and permissions.
Comments allow you to add text notes to processes, so that everyone in the team can check what’s happening.
To add a new comment:
- Select New in the Process Comments section header.
- Enter your comment in the comment editor. You can also add links in the comment editor. These links open in a new tab when someone clicks on the link on a comment.
- Select Save.
All comments are visible under the Process Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.
You can use custom Tags to categorize your processes. Then you can filter
the Risk view to show deployments with selected tags (
attribute). See the Use local page filtering
topic for more information about filtering.
To add tags:
- Select the drop-down in the Process Tags section. Existing tags appear as a list (up to 10).
- Select an existing tag or enter a new tag and press Enter. As you enter your query, the StackRox Kubernetes Security Platform automatically displays relevant suggestions for the matching existing tags.
You can add more than one tag for a process. All tags are visible under the Process Tags section and you can remove tags by selecting Remove icon (✕) for a specific tag.
The process baselines are visible under the Spec Container Baselines section. See the Use process baselining topic for more information.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.