We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Cloud Native Security

Secure your Kubernetes applications with Snyk Container

Gareth RushgroveNovember 12, 2019

We wrote previously about implementing container security throughout the SDLC, and discussed the trade offs of testing locally, in your CI/CD pipeline, against your registry, and in your Kubernetes cluster. With the new Kubernetes integration in Snyk Container, we’re aiming to make that last part both easier to do, and bring that information closer to developers so you can more quickly fix vulnerabilities and enable Kubernetes security.

Finding vulnerable Kubernetes applications with Snyk

Snyk already supports scanning images in your continuous integration pipelines, and importing images directly from your container registries. Our new Kubernetes integration extends this to your cluster. To enable the integration, you install a controller on your cluster, using our Helm Chart. The controller has read access to the Kubernetes API and detects your workloads and the images they are using.

The controller sends the information to Snyk where you can import specific workloads for us to analyze and report on.

With some of your workloads imported, Snyk will now display vulnerability information about the images, along with some metadata (for instance which cluster the workload is running, and the type of workload).

Workload security, not just image security

For a specific Kubernetes workload you may have 10s or 100s of pods, and potentially even more individual containers. But from a developers perspective those are really an implementation detail of the platform. Focusing vulnerability data on individual containers ignores this, and doesn’t align with the abstraction the developer is using, most likely the Deployment, CronJob, ReplicationController, etc.

Looking just at images in the cluster also misses context, which might be important in understanding the risk and in knowing what applications are actually affected.

As an example of this, when Snyk imports your Kubernetes workloads we collect important security configuration information alongside the image vulnerabilities.

This information should, at a glance, help you understand which workloads would benefit from configuration changes to better secure them. We’ll detect workloads that don’t drop capabilities, are missing CPU and memory limits (which can help mitigate against denial of service attacks), those not using read-only file systems and more.

Conclusions

The Snyk Kubernetes integration is available for paying customers as part of the Snyk Container product. We have lots of ideas to build upon this initial feature including making the controller more configurable, expanding reporting capabilities, utilizing configuration information to prioritize vulnerabilities and more. Check out the documentation for all the details and let us know what you think!

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • Test with GitHub
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom