Nirmata

Introduction

CoreStack allows you to discover any policy violations within a Kubernetes cluster.

CoreStack accomplishes this by integrating with Nirmata, a software solutions provider specializing in policy-based security and automating production Kubernetes workloads and clusters. They are also the creators of Kyverno, the leading policy engine designed for Kubernetes. This extends CoreStack’s SecOps capabilities to provide autonomous governance of Kubernetes resources for security and compliance.

Nirmata supports any type of application (traditional or microservices) on any cloud. Nirmata makes Kubernetes accessible in any environment and for all users.

The Nirmata Kubernetes Policy Manager facilitates continuous compliance by employing policy-as-code, admission controls, and runtime best practices. Nirmata enables Kubernetes DevSecOps teams to ensure the security, compliance, and operational readiness of their Kubernetes workloads and clusters; by automating the creation, deployment, and lifecycle management of policy-based Intelligent Guardrails, customers can gain insights, alerts, and reports, as well as enable effective collaboration across development and operations teams.

Key Features and Benefits

• Obtain an accurate and unified view of the entire multi-cloud estate and get visibility into your multi-account inventory and compliance status of all cloud resources, including Kubernetes.

• Quickly identify threats, continuously evaluate vulnerabilities, and improve cloud security posture in real time using the Kyverno converged policy engine.

• Reduce your attack surface with Secure Policy Enforcement. In addition to protecting other cloud resources, customers can protect and govern Kubernetes workloads and clusters by rapidly identifying and fixing risky configurations.

• Operationalize DevSecOps processes using Policy Administration. DevSecOps teams can collaborate more effectively with automation and integrations that create policy lifecycle alerts, as well as gather useful insights from reports.

• Accelerate and achieve cloud-native agility by enabling developers to deliver releases faster and respond to changes confidently with a strong focus on security and compliance. With curated and crowdsourced Policy Sets for Kubernetes, developers can be freed from the friction that limits experimentation and lessens productivity.

Cluster Management

Nirmata allows you to deploy and operate Kubernetes Clusters on any cloud. You can create clusters on pre-configured nodes using Host Groups or you can create clusters using cloud provider-managed Kubernetes services. This flexibility allows you to use the appropriate resources based on the requirements for your workloads.

You can create clusters in different ways:

• Custom Clusters: Nirmata can install the Kubernetes control plane components on any bare-metal servers, virtual machines, or cloud instances. Nirmata supports provisioning of nodes via API integrations with public and private cloud providers. Alternatively, Nirmata allows external provisioning and registration of nodes. Once the nodes are configured, Nirmata automates the provisioning of the Kubernetes control plane.

• Provider Managed Clusters: Nirmata uses cloud provider API integrations to automate the cluster control-plane and worker node lifecycle management. Nirmata supports provisioning and management of managed Kubernetes clusters using Amazon Elastic Kubernetes Service (EKS), Microsoft Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), Oracle Kubernetes Engine (OKE), etc.

• Registered Clusters: Nirmata allows externally managed clusters like RedHat OpenShift or Rancher RKE clusters to be registered and managed by Nirmata. This can be useful for migration, or simply to leverage Nirmata’s advanced Day 2 workload management while leveraging other tools for cluster management.

To create, manage, upgrade, resize, and delete clusters using Nirmata, visit the Nirmata cluster management portal.

Compliance Controls

Once the cluster is registered in Nirmata, the Kyverno policy engine and various policies are deployed. Kyverno processes the policies and reports any policy violations. CoreStack periodically retrieves the policy violations, reports them, and maps them to compliance controls.

1. Click Resource > Inventory.

2. Select a Cloud Service.

3. In Cloud Accounts, select respective policy check.

4. Click Manage Kubernetes.

5. Click Register to register a Kubernetes cluster.

6. Click Download to download the configuration file (YAML file).

7. Upload the configuration file to the cluster. The cluster will become active and CoreStack will start receiving security findings.

8. Click Governance > Guardrails > Policies.

The policy list should appear.

9. Hover on the policy and click the Execute icon.

10. After you have registered the cluster for a policy check, in Accounts, select the respective policy check. For example, in the below snapshot we are checking for an audit volume type violation.

11. Enter the schedule settings.

12. Click Execute. The policy schedule should appear. It will also show any violations found after the policy execution.