Aqua Blog

Automating Configuration Auditing with Starboard Operator By Aqua

Automating Configuration Auditing with Starboard Operator By Aqua

Back in November 2020, we introduced the Starboard Operator, which automates vulnerability scanning in a Kubernetes environment. We’re now pleased to announce the latest release (release v0.9) which adds configuration auditing using Polaris. This means that the Operator can automatically check for weaknesses in the way your Kubernetes workloads are configured, as well as scan them for vulnerabilities.

Following Configuration Best Practices

Running configuration audits with Polaris or a similar tool allows you to understand which workloads inside a cluster do not conform to best practices. These audits include security checks, such as identifying containers configured to run as root, which can make your cluster more vulnerable to privilege escalation. Efficiency checks ensure that CPU and memory requests and limits are set so that Kubernetes can schedule workloads effectively and protect your environment from DDoS attacks. Finally, reliability checks help to make sure that workloads are always available, healthy, and running desired container images.

Below we’ve embedded a video that shows how the Starboard operator automatically schedules both vulnerability and configuration audit scans when a new application Deployment is created or modified. The audit reports are persisted by the Kubernetes API server in the etcd cluster in the form of Kubernetes custom resources. From there the reports can be accessed with the kubectl command, or in Kubernetes IDEs such as Octant or Lens for which we provide extensions (check out our video introducing Lens Extension for Starboard).

Going Forward

Currently, Polaris performs security, efficiency, and reliability checks only on Kubernetes workloads. We’re looking to extend such functionality to other built-in Kubernetes objects such as Services, secrets, ConfigMaps, etc. Also, our plans include integrating kube-bench with the operator to automatically run CIS Kubernetes benchmarks on nodes that are added to a Kubernetes cluster. We’re always looking for feedback from our users – so please give Starboard Operator a try and let us know what you think. The operator can be installed with kubectl, Helm, or OLM as explained in the installation guides.

In a future blog post, we’ll talk about how you can set up Starboard to use Trivy in client/server mode and why that’s a great approach for scanning vulnerabilities at scale.

Daniel Pacak
Daniel Pacak is an Open Source Engineer at Aqua Security. He works on Kubernetes and container security related projects, while also taking part in maintaining the CNCF's project, Harbor.