Aqua Operator: Automating Security for Kubernetes

Aqua Operator: Automating Security for Kubernetes

Aqua recently developed a Kubernetes Operator that was successfully tested and validated by Red Hat standards for integration and supportability. Before we tell you about our new OpenShift-certified Operator, let’s get some context about what an Operator is.

The Operator Framework

Originally introduced by CoreOS in 2016, an Operator is an application-specific controller that extends the Kubernetes API to automate common tasks that someone like a Site Reliability Engineer would normally manage. This might include creating, configuring, and managing instances of complex applications on Kubernetes. Today, Red Hat and the open source Kubernetes community share the Operator Framework as an open source toolkit designed to help DevOps engineers manage Kubernetes applications in a more effective and scalable way.  

Aqua on the OpenShift Container Platform (OCP)

A while ago, we posted a list of options to help you decide which Kubernetes management platform would be right for you. As one of the most widely used on-premises solutions for managing containers,  OCP is based on Kubernetes, but with a variety of added controls that may require a degree of adaptation when moving to, or from, standard Kubernetes distributions. In order to provide a comprehensive and automated layer of security on top of OCP, Aqua has completed rigorous technical validations to become a Red Hat Certified Technology Partner, ensuring that our joint customers can deploy Aqua seamlessly on the OpenShift platform.

Aqua for OpenShift Image Streams

One key differentiator of OCP is that it allows users to leverage “image streams” when building environments using several different registries. Enterprises often pull images from multiple registries when building and deploying their applications. In order to do this, they still need to track changes in those images for security and compliance reasons. This would add a layer of complexity to development pipelines, since the developer would need to set up an automatic process of constantly scanning them by connecting to all of the different registries that store each of those images.

Thankfully, image streams are an abstraction layer that provides mapping between image stream tags and actual images stored either in the internal OpenShift registry or in any external registry. A single image stream may consist of multiple tags, each of which points to an image from a different registry, making the process of scanning all of them less complicated.

With Image Streams, developers can build environments that work more efficiently for large and diversified setups by using Image streams, instead of regular images, when building and deploying applications. Aqua can be natively deployed in an OpenShift environment to provide vulnerability scanning, thereby leveraging the Image Streams capability.

The Aqua Security Operator

Aqua recently built an RHEL-based Operator to automate the maintenance of mundane operational duties. This makes the use of Aqua’s Cloud Native Security Platform (CSP), particularly the deployment and scanning pieces, more seamless.

When deploying Aqua CSP, you can leverage the Operator as an alternative to a deployment that uses a Helm chart or large, complicated YAML files. The Operator only requires one YAML file to deploy the Aqua infrastructure components, and another YAML file to deploy Aqua Enforcers in your production environment.

Kubernetes Security

The Aqua Operator can also be configured to manage the Aqua Scanner container and scale it automatically when more resources are needed.  You can configure the minimum and maximum number of scanners you would like the Operator to deploy. You can even decide how many images you would like to allocate per scanner.  For example, if you have one scanner deployed, 500 images in your scan queue, and your maximum number of scanners is configured to 5, you’ll have 5 Aqua Scanners scaled automatically to scan all 500 images.

Aqua's OpenShift certified operator is also available to deploy through the OpenShift console.

HubSpot Video

Summing Up

Aqua's committed to helping you automate your security operations from development to production. We are extending the capabilities of our Operator, automating security processes in your runtime environment and focusing your time on running applications smoothly. Moving forward, the Aqua Operator will allow you to scale Aqua runtime protection components more seamlessly and handle a large number of Aqua Enforcers automatically.

David Lugo

David is a Global Partner Marketing Manager at Aqua Security.