We're moving the documentation to a new location. Please bookmark our new site.

Manage cluster configuration

Learn how to use the Configuration Management view and understand the correlation between various entities in your cluster to manage your cluster configuration efficiently.

Every Kubernetes (or OpenShift) cluster includes many different entities distributed throughout the cluster, which makes it more challenging to understand and act on the available information.

The StackRox Kubernetes Security Platform provides efficient configuration management that combines all these distributed entities on a single page. It brings together information about all your clusters, namespaces, nodes, deployments, images, secrets, users, groups, service accounts, and roles in a single Configuration Management view, helping you visualize different entities and the connections between them.

Beginning from version 2.5.30.0, you can use Configuration Management from within the StackRox portal.

Configuration Management view

To open the Configuration Management view, select Configuration Management from the left-hand navigation menu. Similar to the Dashboard, it displays some useful widgets.

Configuration Management dashboard
Configuration Management dashboard

Widgets

The Configuration Management view includes multiple interactive widgets to show information about:

  • policy violations by severity,
  • the state of CIS (Center for Information Security) Docker and Kubernetes benchmark controls,
  • users with administrator rights in the most clusters, and
  • secrets used most widely in your clusters.

The Configuration Management view header shows you the number of policies and CIS controls and allows you to switch between different entities. For example, you can:

  • select Policies to view all policies and their severity, or select CIS Controls to view detailed information about all controls.
  • select Application and Infrastructure and choose to view the information about clusters, namespaces, nodes, deployments, images, and secrets.
  • select RBAC Visibility and Configuration and choose to view information about users and groups, service accounts, and roles.

Kubernetes RBAC visibility

Use the Configuration Management view to identify potential misconfigurations, such as users, groups, or service accounts granted cluster-admin access, or find roles not granted to anyone.

To get information about which Kubernetes roles are assigned to which users and groups:

  1. Select RBAC Visibility and Configuration > Users and Groups from the Configuration Management view header. The Users and Groups view displays a list of Kubernetes users and groups, their assigned roles, and whether the cluster-admin role is enabled for each of them.
  2. Select a row to view more details about cluster and namespace permissions associated with the selected user or group. The information appears in a panel on the right.

To find out where service accounts are in use and their permissions:

  1. Select RBAC Visibility and Configuration > Service Accounts from the Configuration Management view header. The Service Accounts view displays a list of Kubernetes service accounts across your clusters, their assigned roles, whether the cluster-admin role is enabled, and which deployments use them.
  2. Select a row (or one of the underlined links in a row) to view more details, including which cluster and namespace permissions are granted to the selected service account. The information appears in a panel on the right.

To get more information about your Kubernetes roles and find unused roles:

  1. Select RBAC Visibility and Configuration > Roles from the Configuration Management view header. The Roles view displays a list of Kubernetes roles across your clusters, the permissions they grant, and where they’re used.
  2. Select a row (or one of the underlined links in a row) to view more details about the role. The information appears in a panel on the right.
  3. To find roles not granted to anyone, select the Users & Groups column header. Then, while holding the Shift key, select the Service Account column header. The list is now sorted to show roles that aren’t granted to any users, groups, or service accounts.

Secrets

View Kubernetes secrets in use in your environment and identify deployments using those secrets.

  1. On the Secrets Most Used Across Deployments widget, select View All. Alternatively, select Application & Infrastructure > Secrets from the Configuration Management view header. The Secrets view displays a list of Kubernetes secrets.
  2. Select a row to view more details. The information appears in a panel on the right.

Use the available information to identify if the secrets are in use in deployments where they aren’t needed.

Policy violations

The Policy Violations by Severity widget displays policy violations in a sunburst chart. Each level of the chart is represented by one ring or circle.

  • The innermost circle represents the total number of violations.
  • The next ring represents policy categories (Low, Medium, High, and Critical).
  • The outermost ring represents individual policies in a particular category.

The Configuration Management view only shows the information about policies that have the Lifecycle Stage set to Deploy. It doesn’t include policies that address runtime behavior or those configured for assessment in the Build stage, for example. To explore policy violations:

  1. Hover over the sunburst chart to view details about policy violations.
  2. Select n rated as high (where n is a number) to view detailed information about high-priority policy violations. The Policies view displays a list of policy violations filtered based on the selected category.
  3. Select a row to view more details, including policy description, remediation, deployments with violations, and more. The details are visible in a panel.
  4. The Policy Findings section in the information panel lists deployments where these violations occurred.
  5. Select a deployment under the Policy Findings section to view related details including Kubernetes labels, annotations, service account, and violation comments and tags.

Use the detailed information to plan a remediation for violations.

Comments and tags

You can use Tags and Comments to specify what’s happening with violations to keep your team up to date.

  • You need the StackRox Kubernetes Security Platform version 3.0.42 or newer to add and view Tags and Comments. To upgrade from an older version, see the Upgrade StackRox section.

  • You can edit and delete your own comments.

  • To delete comments from other users, you need a role with write permission for the AllComments resource.

  • To add and remove comments or tags, you need a role with write permission for the resource you are modifying. For example, to add comments on violations, your role must have write permission for the Alert resource.

    See Manage role based access control to know more about roles and permissions.

Comments

Comments allow you to add text notes to violations, so that everyone in the team can check what’s happening with a violation.

To add a new comment:

  1. Select New in the Violation Comments section header.
  2. Enter your comment in the comment editor. You can also add links in the comment editor. These links open in a new tab when someone clicks on the link on a comment.
  3. Select Save.

All comments are visible under the Violation Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.

Tags

You can use custom Tags to categorize your violations. Then you can filter the Violations view to show violations for selected tags (Tag attribute). See the Use local page filtering topic for more information about filtering.

To add tags:

  1. Select the drop-down in the Violation Tags section. Existing tags appear as a list (up to 10).
  2. Select an existing tag or enter a new tag and press Enter. As you enter your query, the StackRox Kubernetes Security Platform automatically displays relevant suggestions for the matching existing tags.

You can add more than one tag for a violation. All tags are visible under the Violation Tags section and you can remove tags by selecting Remove icon (✕) for a specific tag.

CIS controls

Similar to the Policy Violations sunburst chart, the CIS controls widget provides information about failing CIS controls.

  1. Select CIS Docker v1.2.0 on the CIS controls widget header. Use this to switch between CIS Docker and Kubernetes controls.
  2. Hover over the sunburst chart to view details about failing controls.
  3. Select n controls failing (where n is a number) to view detailed information about failing controls. The Controls view displays a list of failing controls filtered based on the compliance state.
  4. Select a row to view more details, including control descriptions and nodes where the controls are failing. The details are visible in a panel.
  5. The Control Findings section in the information panel lists nodes where the controls are failing. Select a row to view more details, including Kubernetes labels, annotations, and other metadata.

Use the detailed information to focus your attention on a subset of nodes, industry standards, or failing controls, and assess, check, and report on the compliance status of your containerized infrastructure.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.