Visualize Workloads

When you deploy the Cisco Panoptica controller on a host or Kubernetes cluster, you gain visibility into all the workloads that are running on the host or cluster. These include workloads with a Panoptica identity, and 'unknown' workloads that do not have an identity. You also see the connections between workloads, and with external applications. You can drill down for additional information about any workload or connection.

After you define Panoptica environments in your clusters and hosts, the workloads are grouped according to the environments in which they are running. With this, you will easily see the following:

  • whether your workloads are running in the correct environments
  • unknown, possibly unauthorized, workloads running in your environments
  • the communication links between workloads, known and unknown, and whether these are correct in terms of source/destination, and level of traffic.

You can also define runtime policies to govern which workloads are allowed to run in your environments, and with which workloads or environments they are allowed to communicate.

View Workloads

The Workload view in the Runtime page shows workloads running on your environments. It shows all workloads running on the host or cluster, whether identified by Panoptica, or unidentified. Workloads that are not active (for example, that were blocked from running by a runtime policy) are also shown.

1526

The view shows, by default, the workload, the environment in which it is running, the risk (from the environment), the runtime status, the workload status (active or inactive), and the time it was last seen (detected) in the environment. It also indicates if the workload is protected, that is, the workload is in a namespace that has Panoptica deployed on it. You can configure the columns which are displayed (click on the Columns symbol, in the upper right).

The view shows workloads detected within a configurable period of time. The default period is the last 5 minutes (from the current time). You can select a larger period (up to one week), or a date range.

You can filter the view to show only workloads that violated a runtime policy. These workloads could be active, if not blocked by a policy, or stopped, if blocked by a policy.

You can also filter the view according to any of the columns in the table.

Workload Risk

The Workload view shows the overall Workload Risk for the workload. This is calculated by Panoptica based on the vulnerabilities in the workload image (which can also be viewed in the Risk Assessment page) , permissions issues (Cluster RBAC risks) , and PSP profile issues.

Security Threats

The Workload view shows a summary of Security Threats for the workload. These symbols indicate the threats to the workload:

245

These indicate the following threat types:

  • Vulnerabilities - the highest vulnerability severity detected
  • Permissions issues - see Cluster RBAC risks
  • exposure to the internet (public-facing) - the workload can be accessed from the internet\
  • Workload differences - the workload pod template configuration was changed since it was deployed on the cluster.

Workload Information

Click on the name of a workload (left-most column) to show more detail.

683

The tabs have additional details about the workload:

  • RISK - this summarizes the risks detected in the workload (this explains the Workload Risk and Security Threat indicators for the workload in the main Workload page.
  • POD - this shows deployment details for pod, including the image name, and labels
  • RUNTIME - this shows runtime details for the pod (if the pod template was not changed after deployment, this should be the same as the POD tab)
  • PSP - this shows the effective Pod Security Policy attributes for the pod
  • IDENTIFICATION - this shows where the the workload was identified by Panoptica. This is typically upstream, in the CI/CD pipeline. It also indicates changes to the workload template since it was deployed (explaining the Security Threat indication). If the workload is unidentified, this will be indicated.

View Namespaces

The Namespaces view shows all the Kubernetes namespaces in your environments. These include Protected namespaces, in which the controller is deployed (this is selected in the deployment process), and Unprotected namespaces, in which the controller is not deployed.
The view also shows the number of pods running in the namespace.

1559

Symbols

The Workload tab uses these symbols to indicate the status of each workload:

Known workload (pod)

29

Unknown workload

34

Expansion workload

42

What’s Next