When you deploy the Cisco Panoptica controller on a host or Kubernetes cluster, you gain visibility into all the workloads that are running on the host or cluster. These include workloads with a Panoptica identity, and 'unknown' workloads that do not have an identity. You also see the connections between workloads, and with external applications. You can drill down for additional information about any workload or connection.

After you define Panoptica environments in your clusters and hosts, the workloads are grouped according to the environments in which they are running. With this, you will easily see the following:

whether your workloads are running in the correct environments
unknown, possibly unauthorized, workloads running in your environments
the communication links between workloads, known and unknown, and whether these are correct in terms of source/destination, and level of traffic.

You can also define runtime policies to govern which workloads are allowed to run in your environments, and with which workloads or environments they are allowed to communicate.

View Workloads

The WORKLOADS view in the Runtime page shows all workloads running on your host or cluster, whether identified by Panoptica, or unidentified. Workloads that are not active (for example, that were blocked from running by a runtime policy) are also shown.

The view shows, by default, the workload name, aggregated workload risk, security threats, the environment in which it is running, cluster name, runtime status, the workload status (active or inactive), and the time it was last started, It also indicates if the workload is protected, that is, the workload is in a namespace that has Panoptica deployed on it.

You can customize this view in several ways:

You can select the time frame of viewed events from the dropdown box, in the upper left
You can filter the results by most of the columns
You can select which columns are displayed by clicking the Columns button, in the upper right).

The list of workloads can be exported to Excel, for further review and analysis.

Workload Risk

The Workload Risk is calculated by Panoptica based on the threats and vulnerabilities identified in the workload image. The Security Threats are identified by the following icons:

Workload is unidentified
Workload is public-facing, and accessible from the internet
Workload template has been modified since it was deployed
Workload has a HIGH or CRITICAL vulnerability
Security context risk
Highest dockerfile scan result is FATAL
Workload is using APIs with HIGH or CRITICAL risk

Red icons indicate a HIGH risk; orange icons are a MEDIUM risk; yellow icons are a LOW risk.
Icons that are grayed out indicate that Panoptica detected no such risk in that workload.

Additional Information

Click on any row to see additional information about that workload.

There are five tabs where you can learn more about the workload you selected.

Details & Risk – Provides specifics about the workload, including:
- additional details about the security threats identified in this workload. Click Edit to tell Panoptica to ignore any warnings you want to acknowledge.
- a list of all licenses in use in the workload’s containers.
- whether the containers and templates in the workload have been identified, according to the CI/CD pipeline and cluster configuration; whether the images came from an approved registry; and whether the sidecars attached to the workload are approved by policy.
Pod Template – Displays a comparison between the deployed template, and how it is applied in runtime
Security Context - Details the privilege and access control setting of the pod and each container
API – Lists the API tokens injected into the workload, and the risk level of all APIs used in the workload
Licenses – Lists the licenses in use per image

-->