[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown) 3. [Container Security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown) 4. [Kubernetes and Infrastructure as Code](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code?ts=markdown) Table of Contents * [What Is Container Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security?ts=markdown) * [Container Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#container-security?ts=markdown) * [Understanding the Attack Surface](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#attack-surface?ts=markdown) * [How to Secure Containers](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#secure-containers?ts=markdown) * [Container Security Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#solutions?ts=markdown) * [Container Security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security#faq?ts=markdown) * [Managing Permissions with Kubernetes RBAC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown) * [Kubernetes RBAC Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#kubernetes?ts=markdown) * [Why Is RBAC Important for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#important?ts=markdown) * [RBAC Roles and Permissions in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#roles?ts=markdown) * [How Kubernetes RBAC Works](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#how?ts=markdown) * [The Role of RBAC in Kubernetes Authorization](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#authorization?ts=markdown) * [Common RBAC Permissions Risks and Vulnerabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#common?ts=markdown) * [Kubernetes RBAC Best Practices and Recommendations](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#best?ts=markdown) * [Kubernetes and RBAC FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac#faqs?ts=markdown) * [Kubernetes: How to Implement AI-Powered Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security?ts=markdown) * [Common Threats to Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#common?ts=markdown) * [How Is AI Used to Enhance Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#how?ts=markdown) * [How Do You Implement AI-Powered Security in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#do?ts=markdown) * [What Are the Best Types of AI-Powered Tools for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#what?ts=markdown) * [Kubernetes and AI-Powered Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-ai-security#faqs?ts=markdown) * [What Is Container Runtime Security?](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown) * [Container Runtime Security for Modern Applications](https://www.paloaltonetworks.com/cyberpedia/runtime-security#runtime-security?ts=markdown) * [Models and Rules: Understanding Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#models?ts=markdown) * [Components of Container Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#components?ts=markdown) * [Best Practices for Optimal Runtime Security](https://www.paloaltonetworks.com/cyberpedia/runtime-security#best-practices?ts=markdown) * [At-a Glance Runtime Security Checklist](https://www.paloaltonetworks.com/cyberpedia/runtime-security#checklist?ts=markdown) * [Runtime Security FAQs](https://www.paloaltonetworks.com/cyberpedia/runtime-security#faq?ts=markdown) * [What Is Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security?ts=markdown) * [Kubernetes Security Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#kubernetes?ts=markdown) * [The Importance of Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#importance?ts=markdown) * [Application Security in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#application?ts=markdown) * [7 Common Kubernetes Security Mistakes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#mistakes?ts=markdown) * [Kubernetes Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#practices?ts=markdown) * [Kubernetes Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security#faqs?ts=markdown) * [Multicloud Management with Al and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management?ts=markdown) * [Multicloud Kubernetes Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#multicloud?ts=markdown) * [How Does Kubernetes Facilitate Multicloud Management?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#how?ts=markdown) * [Multicloud Management Using AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#kubernetes?ts=markdown) * [Key AI and Kubernetes Capabilities](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#key?ts=markdown) * [Strategic Planning for Multicloud Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#strategic?ts=markdown) * [Steps to Manage Multiple Cloud Environments with AI and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#steps?ts=markdown) * [Multicloud Management Challenges](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#challenges?ts=markdown) * [Kubernetes Multicloud Management with AI FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-multicloud-management#faqs?ts=markdown) * [What Is Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown) * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubernetes?ts=markdown) * [Kubernetes Architecture](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#architecture?ts=markdown) * [Nodes: The Foundation](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#nodes?ts=markdown) * [Clusters](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#clusters?ts=markdown) * [Pods: The Basic Units of Deployment](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#pods?ts=markdown) * [Kubelet](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#kubelet?ts=markdown) * [Services: Networking in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#services?ts=markdown) * [Volumes: Handling Persistent Storage](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#volumes?ts=markdown) * [Deployments in Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#deployments?ts=markdown) * [Kubernetes Automation and Capabilities](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#capabilities?ts=markdown) * [Benefits of Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#benefits?ts=markdown) * [Kubernetes Vs. Docker](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#compare?ts=markdown) * [Kubernetes FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes#faq?ts=markdown) * [What Is Kubernetes Security Posture Management (KSPM)?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm?ts=markdown) * [Kubernetes Security Posture Management Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm?ts=markdown) * [What Is the Importance of KSPM?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#importance?ts=markdown) * [KSPM \& the Four Cs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#kspm-cs?ts=markdown) * [Vulnerabilities Addressed with Kubernetes Security Posture Management](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vulnerabilities?ts=markdown) * [How Does Kubernetes Security Posture Management Work?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#how?ts=markdown) * [What Are the Key Components and Functions of an Effective KSPM Solution?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#components?ts=markdown) * [KSPM Vs. CSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#vs?ts=markdown) * [Best Practices for KSPM](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#best-practices?ts=markdown) * [KSPM Use Cases](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#use-cases?ts=markdown) * [Kubernetes Security Posture Management (KSPM) FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security-posture-management-kspm#faq?ts=markdown) * [What Is Orchestration Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security?ts=markdown) * [Orchestration Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#orchestration-security?ts=markdown) * [Securing the Build Layer](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#build-layer?ts=markdown) * [Orchestration Access Security](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#access-security?ts=markdown) * [At-a-Glance Container Orchestration Security Checklist](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#checklist?ts=markdown) * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-orchestration-security#faq?ts=markdown) * [What Is Container Orchestration?](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration?ts=markdown) * [Container Orchestration Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#container-orchestration?ts=markdown) * [Orchestration Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#tools?ts=markdown) * [Key Components of Orchestrators](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#components?ts=markdown) * [Container Orchestration and the Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#pipeline?ts=markdown) * [Benefits of Container Orchestration](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#benefits?ts=markdown) * [The Container Ecosystem](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#ecosystem?ts=markdown) * [Container Orchestration FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration#faq?ts=markdown) * [How to Secure Kubernetes Secrets and Sensitive Data](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown) * [Kubernetes Secrets Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes?ts=markdown) * [Importance of Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#importance?ts=markdown) * [How Kubernetes Secrets Work](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#kubernetes-secrets?ts=markdown) * [How Do You Store Sensitive Data in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#sensitive-data?ts=markdown) * [How Do You Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#secure-secrets?ts=markdown) * [Challenges in Securing Kubernetes Secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#challenges?ts=markdown) * [What Are the Best Practices to Make Kubernetes Secrets More Secure?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#best-practices?ts=markdown) * [What Tools Are Available to Secure Secrets in Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#tools?ts=markdown) * [Kubernetes Secrets FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets#faq?ts=markdown) * Kubernetes and Infrastructure as Code * [Infrastructure as Code in the Kubernetes Environment](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-environment?ts=markdown) * [Understanding IaC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac?ts=markdown) * [IaC Security Is Key](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac-security?ts=markdown) * [Kubernetes Host Infrastructure Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#host-infrastructure-security?ts=markdown) * [IAM Security for Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iam-security?ts=markdown) * [Container Registry and IaC Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-registry?ts=markdown) * [Avoid Pulling "Latest" Container Images](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-images?ts=markdown) * [Avoid Privileged Containers and Escalation](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#privileged-containers?ts=markdown) * [Isolate Pods at the Network Level](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#isolate-pods?ts=markdown) * [Encrypt Internal Traffic](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#encrypt?ts=markdown) * [Specifying Resource Limits](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#resource-limits?ts=markdown) * [Avoiding the Default Namespace](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#namespace?ts=markdown) * [Enable Audit Logging](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#audit-logging?ts=markdown) * [Securing Open-Source Kubernetes Components](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-components?ts=markdown) * [Kubernetes Security Across the DevOps Lifecycle](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#devops-lifecycle?ts=markdown) * [Kubernetes and Infrastructure as Code FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#faq?ts=markdown) * [What Is the Difference Between Dockers and Kubernetes?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker?ts=markdown) * [Docker Defined](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#defined?ts=markdown) * [Kubernetes Explained](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#explained?ts=markdown) * [Docker and Kubernetes: Comparison of Containerization Platforms](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#platforms?ts=markdown) * [Kubernetes Vs. Docker: Complementary, Not Competitors](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#competitors?ts=markdown) * [Benefits of Integrating Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#benefits?ts=markdown) * [Use Cases and Applications for Docker and Kubernetes](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#usecases?ts=markdown) * [Dockers and Kubernetes FAQ](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker#faqs?ts=markdown) * [Securing Your Kubernetes Cluster: Kubernetes Best Practices and Strategies](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security?ts=markdown) * [What Is the Importance of a Secure Kubernetes Cluster?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#importance?ts=markdown) * [Understanding Kubernetes Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#security?ts=markdown) * [What Are Kubernetes Security Considerations and Security Best Practices?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#practices?ts=markdown) * [What Are Advanced Strategies for Kubernetes Security?](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#advanced?ts=markdown) * [Kubernetes Cluster Security FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-cluster-security#faqs?ts=markdown) * [What Is a Host Operating System (OS)?](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers?ts=markdown) * [The Host Operating System (OS) Explained](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#os?ts=markdown) * [Host OS Selection](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#selection?ts=markdown) * [Host OS Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security?ts=markdown) * [Implement Industry-Standard Security Benchmarks](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#benchmarks?ts=markdown) * [Container Escape](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#container-escape?ts=markdown) * [System-Level Security Features](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#security-features?ts=markdown) * [Patch Management and Vulnerability Management](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#patch-management?ts=markdown) * [File System and Storage Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#storage-security?ts=markdown) * [Host-Level Firewall Configuration and Security](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#firewall-configuration?ts=markdown) * [Logging, Monitoring, and Auditing](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#logging?ts=markdown) * [Host OS Security FAQs](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers#faq?ts=markdown) * [What Is Docker?](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown) * [Docker Explained](https://www.paloaltonetworks.com/cyberpedia/docker#docker?ts=markdown) * [Understanding Docker Containers](https://www.paloaltonetworks.com/cyberpedia/docker#understanding?ts=markdown) * [Core Components of Docker](https://www.paloaltonetworks.com/cyberpedia/docker#core?ts=markdown) * [What Platforms and Environments Does Docker Support?](https://www.paloaltonetworks.com/cyberpedia/docker#what?ts=markdown) * [How Does Docker Work?](https://www.paloaltonetworks.com/cyberpedia/docker#how?ts=markdown) * [Docker Tools](https://www.paloaltonetworks.com/cyberpedia/docker#tools?ts=markdown) * [Docker Use Cases and Benefits](https://www.paloaltonetworks.com/cyberpedia/docker#benefits?ts=markdown) * [Docker FAQ](https://www.paloaltonetworks.com/cyberpedia/docker#faqs?ts=markdown) * [What Is Container Registry Security?](https://www.paloaltonetworks.com/cyberpedia/container-registry-security?ts=markdown) * [Container Registry Security Explained](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#container-registry?ts=markdown) * [Components of Container Registry Security](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#components?ts=markdown) * [Promoting Image and Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#artifact-integrity?ts=markdown) * [At-a-Glance Container Registry Security Checklist](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#checklist?ts=markdown) * [Container Registry FAQs](https://www.paloaltonetworks.com/cyberpedia/container-registry-security#faq?ts=markdown) * [What Is a Container?](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) * [Containers Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#containers?ts=markdown) * [Understanding Container Components](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#components?ts=markdown) * [Container Infrastructure](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#infrastructure?ts=markdown) * [Know Your Container Types](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#types?ts=markdown) * [Harnessing the Efficiency of Containerization](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#efficiency?ts=markdown) * [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container#faq?ts=markdown) * [What Is Containerization?](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown) * [Why Is Containerization Important?](https://www.paloaltonetworks.com/cyberpedia/containerization#why?ts=markdown) * [Containers: A Modern Contender to VMs](https://www.paloaltonetworks.com/cyberpedia/containerization#containers?ts=markdown) * [To Container or Not to Container: Moving Applications to the Cloud](https://www.paloaltonetworks.com/cyberpedia/containerization#apps?ts=markdown) * [Architecture and Migration](https://www.paloaltonetworks.com/cyberpedia/containerization#architecture?ts=markdown) * [Choosing a Cloud Migration Method](https://www.paloaltonetworks.com/cyberpedia/containerization#migration?ts=markdown) * [When Micro Means Fast](https://www.paloaltonetworks.com/cyberpedia/containerization#micro?ts=markdown) * [Container FAQs](https://www.paloaltonetworks.com/cyberpedia/containerization#faq?ts=markdown) # Kubernetes and Infrastructure as Code 6 min. read Table of Contents * * [Infrastructure as Code in the Kubernetes Environment](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-environment?ts=markdown) * [Understanding IaC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac?ts=markdown) * [IaC Security Is Key](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac-security?ts=markdown) * [Kubernetes Host Infrastructure Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#host-infrastructure-security?ts=markdown) * [IAM Security for Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iam-security?ts=markdown) * [Container Registry and IaC Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-registry?ts=markdown) * [Avoid Pulling "Latest" Container Images](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-images?ts=markdown) * [Avoid Privileged Containers and Escalation](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#privileged-containers?ts=markdown) * [Isolate Pods at the Network Level](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#isolate-pods?ts=markdown) * [Encrypt Internal Traffic](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#encrypt?ts=markdown) * [Specifying Resource Limits](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#resource-limits?ts=markdown) * [Avoiding the Default Namespace](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#namespace?ts=markdown) * [Enable Audit Logging](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#audit-logging?ts=markdown) * [Securing Open-Source Kubernetes Components](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-components?ts=markdown) * [Kubernetes Security Across the DevOps Lifecycle](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#devops-lifecycle?ts=markdown) * [Kubernetes and Infrastructure as Code FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#faq?ts=markdown) 1. Infrastructure as Code in the Kubernetes Environment * * [Infrastructure as Code in the Kubernetes Environment](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-environment?ts=markdown) * [Understanding IaC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac?ts=markdown) * [IaC Security Is Key](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iac-security?ts=markdown) * [Kubernetes Host Infrastructure Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#host-infrastructure-security?ts=markdown) * [IAM Security for Kubernetes Clusters](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#iam-security?ts=markdown) * [Container Registry and IaC Security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-registry?ts=markdown) * [Avoid Pulling "Latest" Container Images](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#container-images?ts=markdown) * [Avoid Privileged Containers and Escalation](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#privileged-containers?ts=markdown) * [Isolate Pods at the Network Level](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#isolate-pods?ts=markdown) * [Encrypt Internal Traffic](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#encrypt?ts=markdown) * [Specifying Resource Limits](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#resource-limits?ts=markdown) * [Avoiding the Default Namespace](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#namespace?ts=markdown) * [Enable Audit Logging](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#audit-logging?ts=markdown) * [Securing Open-Source Kubernetes Components](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#kubernetes-components?ts=markdown) * [Kubernetes Security Across the DevOps Lifecycle](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#devops-lifecycle?ts=markdown) * [Kubernetes and Infrastructure as Code FAQs](https://www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code#faq?ts=markdown) [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown) and infrastructure as code (IaC) are closely related concepts in the modern [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown) landscape. Kubernetes is a powerful container orchestration platform, while IaC refers to managing and provisioning infrastructure through machine-readable definition files. In a Kubernetes environment, IaC enables developers and operators to define, version, and manage Kubernetes resources --- such as deployments, services, and configurations --- using declarative languages like YAML or JSON. Tools like Helm, Kustomize, and Terraform facilitate IaC in Kubernetes, streamlining the application lifecycle and ensuring consistency across development, testing, and production environments. By embracing IaC principles, Kubernetes users can enjoy improved collaboration, enhanced security, and reduced operational overhead, making it easier to build, deploy, and scale containerized applications. ## Infrastructure as Code in the Kubernetes Environment Manually provisioning Kubernetes clusters and their add-ons is time-consuming and error-prone. That's where [infrastructure as code (IaC)](https://www.paloaltonetworks.com/cyberpedia/what-is-iac?ts=markdown) comes in. IaC has revolutionized the way engineers configure and manage infrastructure in [Kubernetes deployments](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown). By automating traditional manual processes, IaC enables the programmatic creation and management of container orchestration configurations, making infrastructure management more efficient, secure, and predictable. That said, while infrastructure as code streamlines Kubernetes infrastructure deployment, it also poses security risks if not implemented correctly. Misconfigurations in IaC can lead to security vulnerabilities across all new containers and Kubernetes resources. This probability underscores the critical role [IaC security](https://www.paloaltonetworks.com/cyberpedia/what-is-iac-security?ts=markdown) plays in [containerized environments](https://www.paloaltonetworks.com/cyberpedia/containerization?ts=markdown). ![Misconfiguration snowball effect, as one misconfiguration cascades into hundreds of alerts](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/misconfiguration-snowball-effect.png "Misconfiguration snowball effect, as one misconfiguration cascades into hundreds of alerts") *Figure 1: Misconfiguration snowball effect, as one misconfiguration cascades into hundreds of alerts* By regularly scanning IaC for security issues, organizations can detect and prevent misconfigurations that might expose containerized applications and Kubernetes clusters to attacks. [Shifting security left](https://www.paloaltonetworks.com/cyberpedia/shift-left-security?ts=markdown) by scanning IaC before the build stage minimizes the potential impact of security misconfigurations. ## Understanding IaC Think of infrastructure as code as a modern approach to managing and provisioning IT infrastructure. With IaC, an infrastructure's configuration, deployment, and management are defined in human-readable, machine-executable files, typically written in a domain-specific language or descriptive markup language like YAML or JSON. IaC enables developers and system administrators to treat infrastructure similar to how they treat application code. With IaC, they can version, test, and reuse infrastructure configurations in a systematic and repeatable manner, improving efficiency, reducing manual errors, and ensuring consistency across environments. A key component of [DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown) practices, IaC is often used with tools like Terraform, Ansible, Puppet, Chef, and Kubernetes to automate the provisioning and management of cloud resources (e.g., data servers, storage, and networks), in addition to virtual machines and [container orchestration](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration?ts=markdown). It enables faster deployment of applications and infrastructure, seamless scaling, and improved collaboration among teams. Kubernetes manifest files are an example of IaC. Written in JSON or YAML format, manifests specify the desired state of an object that Kubernetes will maintain when you apply the manifest. Additionally, packaged manifests such as Helm charts and Kustomize files simplify Kubernetes further by reducing complexity and duplication [Kubernetes security](https://www.paloaltonetworks.com/cyberpedia/kubernetes-security?ts=markdown) is perhaps the biggest advantage of IaC, in that it enables you to scan earlier in the development lifecycle to catch easy-to-miss misconfigurations before they deploy. ## IaC Security Is Key Automated and continuous IaC scanning is a key component of [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops?ts=markdown) and is crucial for securing cloud-native apps. When implementing DevSecOps for securing [cloud-native applications](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native?ts=markdown), it's essential to understand basic Kubernetes infrastructure pitfalls and how IaC can help mitigate common security errors and misconfigurations: * Leaving host infrastructure vulnerable * Granting overly permissive access to clusters and registries * Running containers in privileged mode and allowing privilege escalation * Pulling "latest" container images * Failing to isolate pods and encrypt internal traffic * Forgetting to specify resource limits and enable audit logging * Using the default namespace * Incorporating insecure open-source components ## Kubernetes Host Infrastructure Security Let's start at the most basic layer of a Kubernetes environment: the host infrastructure. This is the bare metal and/or virtual server that serves as Kubernetes nodes. Securing this infrastructure starts with ensuring that each node (whether it's a worker or a master) is hardened against security risks. An easy way to do this is to provision each node using IaC templates that enforce security best practices at the configuration and [operating system level](https://www.paloaltonetworks.com/cyberpedia/host-os-operating-system-containers?ts=markdown). When you write your IaC templates, ensure that the image template and the startup script for your nodes are configured to run only the strictly necessary software to serve as nodes. Extraneous libraries, packages, and services should be excluded. You may also want to provision nodes with a kernel-level security hardening framework, as well as employ basic hygiene like encrypting any attached storage. ## IAM Security for Kubernetes Clusters In addition to managing internal access controls within clusters using [Kubernetes RBAC](https://www.paloaltonetworks.com/cyberpedia/kubernetes-rbac?ts=markdown) and depending on where and how you run Kubernetes, you may use an external cloud service to manage access controls for your Kubernetes environment. For example, with Amazon EKS, you'll use AWS IAM to grant varying access levels to Kubernetes clusters based on individual users' needs. Using a [least-privileged approach](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access?ts=markdown) to manage IAM roles and policies in IaC minimizes the risk of manual configuration errors that could grant overly permissive access to the wrong user or service. You can also scan your configurations with IaC scanning tools (such as the open-source tool Checkov) to automatically catch overly permissive or unused [IAM roles and policies](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown). ## Container Registry and IaC Security Although they're not part of native Kubernetes, [container registries](https://www.paloaltonetworks.com/cyberpedia/container-registry-security?ts=markdown) are widely used as part of a Kubernetes-based application deployment pipeline to store and host the images deployed into a Kubernetes environment. Access control frameworks vary between container registries. With some, you can manage access via public cloud IAM frameworks. Regardless, you can typically define, apply, and manage them using IaC. In doing so, you'll want to ensure that container images are only accessible by registry users who need to access them. You should also prevent unauthorized users from uploading images to a registry, as insecure registries are an excellent way for threat actors to push malicious images into your environment. ## Avoid Pulling "Latest" Container Images When you tell Kubernetes to pull an image from a container registry, it will automatically pull the version of the specified image labeled with the "latest" tag in the registry. This may seem logical --- after all, you typically want the latest version of an application. It can be risky from a security perspective, though, because relying on the "latest" tag makes it more difficult to track the specific version of a container you're using. In turn, you may not know whether your containers are subject to security vulnerabilities or [image-poisoning attacks](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4?ts=markdown) that impact specific images on an application. To avoid this mistake, specify image versions, or better, the image manifest when pulling images. You then want to audit your Kubernetes configurations to detect instances that lack specific version selection for images. It's a little more work, but it's worth it from a [Kubernetes security](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes-security?ts=markdown) perspective. ## Avoid Privileged Containers and Escalation At the container level, a critical security consideration is ensuring that containers can't run in privileged mode. Running containers in privileged mode --- which gives them unfettered access to host-level resources --- grants too much power. Proceed cautiously, as it's an easy mistake to make. Disallowing privilege escalation is easy to do using IaC. Simply write a security context that denies privilege escalation and make sure to include the context when defining a pod. ![Security Context](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/security-context.png) Then, ensure that privilege isn't granted directly with the "privilege" flag or by granting CAP\_SYS\_ADMIN. Here again, you can use IaC scanning tools to check for the absence of this security context and to catch any other privilege escalation settings within pod settings. ## Isolate Pods at the Network Level By default, any pod running in Kubernetes can talk to any other pod over the network. That's why, unless your pods actually need to talk to each other (which is usually the case only if they're part of a related workload), you should isolate them to achieve a higher level of segmentation between workloads. As long as you have a Kubernetes networking layer that supports network policies (some Kubernetes distributions default to CNIs, lacking this support), you can write a network policy to specify which other pods the selected pod can connect to for both ingress and egress. The value of defining all this in code is that you can scan the code to check for configuration mistakes or oversights that may grant more network access than intended. ## Encrypt Internal Traffic Another small but critical setting is the --kubelet-https=... flag. It should be set to "true." If it's not, traffic between your API server and Kubelets won't be encrypted. Omitting the setting entirely also usually means that traffic will be encrypted by default. But because this behavior could vary depending on which Kubernetes version and distribution you use, it's a best practice to explicitly require Kubelet encryption, at least until the Kubernetes developers encrypt traffic universally by default. ## Specifying Resource Limits You may think of resource limits in Kubernetes as a way to control infrastructure costs and prevent "noisy neighbor" issues between pods by restricting how much memory and CPU a pod can consume. In addition, resource limits help to mitigate the risk of [denial-of-service (DoS)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos?ts=markdown) and similar [cyber attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack?ts=markdown). A compromised pod can do more damage when it can suck up the entire cluster's resources, depriving other [workloads](https://www.paloaltonetworks.com/cyberpedia/what-is-workload?ts=markdown) of functioning properly. From a security perspective, then, it's a good idea to define resource limits. ## Avoiding the Default Namespace By default, every Kubernetes cluster contains a namespace named "default." As the name implies, the default namespace is where workloads will reside by default unless you create other namespaces. Using the default namespace presents two security concerns. First, your namespace is a significant configuration value, and if it's publicly known, it's that much easier for attackers to exploit your environment. The other, more substantial concern with default namespaces is that if everything runs there, your workloads aren't segmented. It's better to create separate namespaces for separate workloads, making it harder for a breach against one workload to escalate into a cluster-wide issue. To avoid these issues, create new namespaces using kubectl or define them in a YAML file. You can also scan existing YAML files to detect instances where workloads are configured to run in the default namespace. ## Enable Audit Logging If a security incident (or, for that matter, a performance incident) does occur, Kubernetes audit logs tend to help when researching it. This is because audit logs record every request to the Kubernetes API server and its outcome. Unfortunately, audit logs aren't enabled by default in most Kubernetes distributions. To turn this feature on, add lines like these to your kube-apiserver policy file to tell Kubernetes where to store audit logs and where to find the policy file that configures what to audit: ![Policy File](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/policy-file.png) Because audit logs offer critical security information, it's worth including a rule in your Kubernetes configuration scans to check whether audit logs are enabled. ## Securing Open-Source Kubernetes Components Leveraging open-source components, such as container images and Helm charts allows developers to move fast without reinventing the wheel. Open-source components, however, are not typically secure-by-default, so you should never assume a container image or Helm chart is secure. Our research shows that around half of all open-source Helm charts within Artifact Hub contained misconfigurations, highlighting the gap between how and where Kubernetes security is being addressed. Before using open-source Helm charts from Artifact Hub, GitHub, or elsewhere, you should scan them for misconfigurations. Similarly, before deploying container images, you should scan them using tools to identify vulnerable components within them. Identifying security risks within Kubernetes before putting them into production is crucial, especially when it comes to integrating open-source components into your environment. ## Kubernetes Security Across the DevOps Lifecycle Identifying common Kubernetes security issues early is crucial to building a repeatable and efficient DevSecOps strategy as feedback cycles are faster and cheaper. Managing Kubernetes security risks at every stage is also key to securing cloud-native applications as they become more representative throughout the lifecycle. ![Figure 2: Security throughout the container lifecycle, from a potentially vulnerable image to a secure runtime environment](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/security-throughout-the-container-lifecycle.png "Figure 2: Security throughout the container lifecycle, from a potentially vulnerable image to a secure runtime environment") *Figure 2: Security throughout the container lifecycle, from a potentially vulnerable image to a secure runtime environment* ### Development During the development stage, engineers are writing code for applications and infrastructure that will later be deployed into Kubernetes. Three main types of security flaws to avoid in this phase: * Misconfigurations within IaC files * Vulnerabilities in container images * Hard-coded [Kubernetes secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown) You can check for misconfigurations using IaC scanners, which can be deployed from the command line or via IDE extensions. IaC scanners work by identifying missing or incorrect security configurations that may later lead to security risks when the files are applied. Container scanning checks for vulnerabilities inside container images. You can run scanners on individual images directly from the command line. But most container registries also feature built-in scanners. The major limitation of container image scanning tools is that they can only detect known vulnerabilities --- meaning those that have been discovered and recorded in public vulnerability databases. When scanning container images, keep in mind that container scanners designed to validate the security of container images alone may not be capable of detecting risks that are external to container images. That's why you should also be sure to scan Kubernetes manifests and any other files that are associated with your containers. Along similar lines, if you produce Helm charts as part of your build process, you'll need security scanning tools that can scan Helm charts. In addition to avoiding misconfigurations and vulnerabilities, it's important to refrain from hard-coding secrets, such as passwords and API keys, that threat actors can leverage to gain privileged access. Secrets scanning tools are key to checking for [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data?ts=markdown) like passwords and access keys inside source code. They can also be used to check for secret data in configuration files that developers write to govern how their application will behave once it's compiled and deployed. The key to getting feedback in this stage is to integrate with developers' local tools and workflows --- either via integrated development environments (IDEs) or command lines. As code gets integrated into shared repositories, it's also important to have guardrails in place that allow for team-wide feedback to collaboratively address. ### Build and Deploy After code is written for new features or updates, it gets passed on to the build and deploy stages. This is where code is compiled, packaged, and tested. Security risks like over-privileged containers, insecure RBAC policies, or [insecure networking configurations](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-network-security?ts=markdown) can arise when you deploy applications into production. These insecure configurations may be baked into the binaries themselves, but they could also originate from Kubernetes manifests that are created alongside the binaries to prepare the binaries for the deploy stage. Due to the risk of introducing new security problems while making changes, it's best to run another set of scans on your application and any related configuration or IaC files prior to the actual deployment. **Takeaway** : Integrating security checks into your [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) is the most consistent way to get security coverage on each Kubernetes deployment. Doing so automatically is the one way to get continuous security coverage and address issues before they affect users in production. ### Container Runtime On top of scanning configuration rules, you should also take steps to secure the Kubernetes runtime environment by hardening and monitoring the nodes that host your cluster. Kernel-level security frameworks like AppArmor and SELinux can reduce the risk of successful attacks that exploit a vulnerability within the operating systems running on nodes. Monitoring operating system logs and processes can also allow you to detect signs of a breach from within the OS. [Security information and event management (SIEM)](https://www.paloaltonetworks.com/cyberpedia/what-is-siem?ts=markdown) and [security orchestration, automation, and response (SOAR)](https://www.paloaltonetworks.com/cyberpedia/what-is-soar?ts=markdown) platforms are helpful for monitoring your runtime environment. IaC can be used to deploy trusted container runtimes, such as [Docker](https://www.paloaltonetworks.com/cyberpedia/docker?ts=markdown) or CRI-O. It can also be used to configure container runtimes with security features such as sandboxing and resource isolation. ### Identify Benchmark KPIs Start thinking about KPIs and set benchmarks, such as your baseline number of violations, to get the complete picture of how your program is performing so far: * Assess your current [runtime issues](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown). Your ultimate goal is to reduce the number of runtime issues your team faces. * Measure leading indicators of runtime issues --- the posture of your code, for example. To establish your baseline code posture, break down your violations by severity level and identify the average number of new issues you see each month. * Set goals to work toward, such as reducing new monthly violations by a specific percentage, or just track your progress over time. If you're starting to see the rate of new misconfigurations and vulnerabilities decrease, that's a great indication that your team is addressing misconfigurations earlier and your policy library is fine-tuned to your needs. ### Feedback and Planning The DevOps lifecycle is a continuous loop in the sense that data collected from runtime environments should be used to inform the next round of application updates. From a security perspective, this means that you should carefully log data about security issues that arise within production, or, for that matter, at any earlier stage of the lifecycle, and then find ways to prevent similar issues from recurring in the future. For instance, if you determine that developers are making configuration changes between the testing and deployment stages that lead to unforeseen security risks, you may want to establish rules for your team that prevent these changes. Or, if you need a more aggressive stance, you can use access controls to restrict who's able to modify application deployments. The fewer people who have the ability to modify configuration data, the lower the risk of changes that introduce vulnerabilities. ## Kubernetes and Infrastructure as Code FAQs ### What is GitOps? GitOps is a paradigm for managing infrastructure and application configurations using Git as the single source of truth. It combines Git with Kubernetes' declarative infrastructure and applications for automated management. Changes to infrastructure and applications are made through Git commits, which are then automatically applied to the system, ensuring that the actual state always matches the version-controlled state. GitOps enhances collaboration, transparency, and audit trails while enabling consistent and automated rollbacks and deployments. ### What are Kubernetes operators? Kubernetes operators are software extensions that use custom resources to manage applications and their components. Operators follow Kubernetes principles, notably the control loop concept, to automate complex tasks such as deploying, upgrading, and maintaining stateful applications. They extend Kubernetes' capabilities by allowing it to 'understand' application-specific operations and lifecycle management. Operators are particularly useful for managing stateful services like databases or clusters that require knowledge of the application's state for effective management. ### What are custom resource definitions (CRDs)? Custom Resource Definitions (CRDs) are a feature in Kubernetes that allows users to create new, custom resources beyond the default set provided by Kubernetes. Often used with Kubernetes operators to manage complex, stateful applications, CRDs enable users to define resource types, complete with custom schemas and APIs, to be managed by the Kubernetes API server. CRDs allow for the creation of domain-specific resources that fit into the Kubernetes ecosystem seamlessly. ### What is declarative configuration? Declarative configuration refers to the practice of specifying the desired state of a system without detailing the steps to achieve that state. It allows for greater abstraction, simplicity, and consistency in managing resources. Tools like Kubernetes and Terraform use this model, enabling users to define the desired state of their infrastructure or applications, while the system handles the process of achieving and maintaining that state. ### What is configuration drift detection? Configuration drift detection is the process of identifying when the actual state of a system deviates from its expected or declared configuration. In cloud environments and automated deployment pipelines, configuration drift can occur due to manual changes, incomplete deployments, or external factors affecting the system. Detecting drift is crucial for maintaining the integrity, security, and reliability of systems. Tools that support configuration drift detection compare the current state of the system against the expected state defined in configuration files or templates, alerting administrators to discrepancies. ### What are integrated development environments (IDEs)? Integrated development environments (IDEs) are software applications that provide a comprehensive set of tools and features to facilitate the process of software development. IDEs combine various tools used by developers, such as code editors, compilers, debuggers, and build automation utilities, into a single unified interface, streamlining the development workflow and enhancing productivity. In the context of container orchestration, IDEs can aid in streamlining the development, deployment, and management of containerized applications. Modern IDEs have evolved to include support for containerization technologies like Docker and Kubernetes, enabling developers to work with containers and orchestration platforms more efficiently. **Key Features of IDEs in Container Orchestration Environments** **Container support**: IDEs often include built-in support for working with container technologies like Docker. They may provide features like Dockerfile syntax highlighting, autocompletion, and the ability to build, run, and manage Docker containers directly from the IDE. **Kubernetes integration**: Some IDEs offer integration with Kubernetes, allowing developers to manage Kubernetes clusters, deploy applications, and debug containerized applications running in a Kubernetes environment. Features like Kubernetes resource template support, cluster management, and log streaming can simplify the process of working with Kubernetes. **Orchestration platform-specific extensions and plugins**: Many IDEs support extensions and plugins that can further enhance container orchestration capabilities. These plugins can provide additional functionality, such as deploying applications to a specific orchestration platform, managing container registries, or working with platform-specific resources and configurations. **Version control integration**: IDEs often integrate with version control systems like Git, enabling developers to manage their containerized application codebase, track changes, and collaborate with other team members more effectively. **Integrated testing and debugging tools**: IDEs can include tools for testing and debugging containerized applications, enabling developers to run tests, identify issues, and debug their code within the context of containers and orchestration platforms. **CI/CD pipeline integration**: Some IDEs can integrate with continuous integration and continuous deployment (CI/CD) tools, such as Jenkins, GitLab CI, or GitHub Actions, allowing developers to automate the build, test, and deployment of their containerized applications. **Customizability and extensibility**: IDEs can be tailored to the specific needs of container orchestration workflows through customization and extensibility options. Developers can configure the IDE to match their preferred development environment and extend its capabilities with plugins or extensions that simplify working with container orchestration platforms. ### What is Kubernetes YAML? Kubernetes YAML is a human-readable data serialization format used for defining and configuring Kubernetes objects like pods, services, and deployments. YAML, which stands for "YAML Ain't Markup Language," is preferred in Kubernetes due to its ease of use and readability. It allows developers and system administrators to declare the desired state of a Kubernetes object, specifying configurations like container images, replicas, network settings, and volume mounts. Kubernetes interprets this YAML file to create and manage the defined resources, making it a fundamental tool in Kubernetes deployments. ### What is Kustomize? Kustomize is a standalone tool for Kubernetes that allows you to customize raw, template-free YAML files for multiple purposes, without using any additional templating languages or complex scripting. It's specifically designed to work natively with Kubernetes configuration files, making it easy to manage and maintain application configurations across different environments, such as development, staging, and production. Kustomize introduces a few key concepts: * **Base** is a directory containing the original, unmodified Kubernetes manifests for an application or set of related resources. * **Overlay** is a directory containing one or more Kustomize files that describe how to modify a base to suit a specific environment or use case. * **Kustomize file** (kustomization.yaml or kustomization.yml) is the central configuration file used by Kustomize to describe the desired modifications to the base resources. ### What are Kustomize files? Kustomize files are essentially configuration files that define how to modify the base Kubernetes YAML manifests. Used by Kustomize to describe the desired modifications to the base resources, they typically include instructions like adding common labels or annotations, changing environment-specific configurations, and generating or patching secrets and config maps. **Common Directives Used in Kustomize Files** * **resources**: List of files or directories to include as base resources. * **patches**: List of patch files that modify the base resources. * **configMapGenerator**: Generates a ConfigMap from a file, literal, or directory. * **secretGenerator**: Generates a Secret from a file, literal, or command. * **commonLabels**: Adds common labels to all resources and selectors. * **commonAnnotations**: Adds common annotations to all resources. ### What are Helm Charts? Helm Charts are packages in Helm, the package manager for Kubernetes, used to streamline the installation and management of Kubernetes applications. A Helm Chart contains all necessary resource definitions and configurations needed to deploy an application or service on Kubernetes. It includes a set of YAML files describing the application's Kubernetes resources and a customizable values file to tailor the deployment. Helm Charts enable consistent and repeatable deployments, simplifying complex Kubernetes applications' management and deployment. ### What is Argo CD? Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It automates the deployment of applications to Kubernetes clusters by syncing them with configurations defined in a Git repository. Argo CD monitors the repository and automatically applies changes to the desired target states in the Kubernetes clusters. It provides features like automated sync, rollback, and self-healing capabilities, ensuring that the deployed applications always match the configurations in the Git repository. Argo CD enhances the deployment process's visibility, reliability, and consistency in Kubernetes environments. ### What is Flux? Flux is an open-source tool that implements GitOps for Kubernetes, ensuring that the state of a cluster matches the configuration stored in a Git repository. It automatically applies new changes made in the repository to the cluster, enabling continuous and automated deployment. Flux supports complex workflows and multi-environment setups, providing features like automated updates, rollback, and alerting. It enhances the reliability and consistency of deployments in Kubernetes, aligning with the principles of declarative infrastructure and version-controlled configuration. ### What is Terraform? Terraform is an open-source infrastructure-as-code tool created by HashiCorp. It enables the definition, provisioning, and management of cloud and on-premises resources in a declarative manner using configuration files. Terraform supports numerous cloud providers and services, allowing for the creation of complex, multicloud infrastructures. Its state management capabilities ensure that the actual state of the infrastructure matches the declared state in the configuration files. Terraform is widely used for its ability to manage entire infrastructure lifecycles, from creation to updates to destruction. ### What is Pulumi? Pulumi is an open-source infrastructure-as-code tool that allows developers to define cloud resources using familiar programming languages like JavaScript, TypeScript, Python, Go, and .NET. Unlike traditional IaC tools that use domain-specific languages, Pulumi leverages existing languages and tools, making it accessible to a broader range of developers. Pulumi supports multiple cloud providers, enabling the creation, deployment, and management of cloud infrastructure and applications. Its use of standard programming languages allows for more complex logic, reusable libraries, and better integration with existing software development practices. ### What is Tekton? Tekton is an open-source framework for creating CI/CD systems, allowing developers to build, test, and deploy across multiple cloud providers or on-premises systems. It's part of the Continuous Delivery Foundation and runs on Kubernetes, offering a Kubernetes-native interface to define and execute pipelines. Tekton decomposes the traditional CI/CD pipeline into composable, declarative components, enabling fine-grained control over each step of the software delivery process. Its flexibility and extensibility make it suitable for complex workflows in modern cloud-native environments. ### What is Jenkins X? Jenkins X is an open-source CI/CD solution designed for cloud-native applications on Kubernetes. It extends Jenkins, focusing on automating CI/CD for cloud applications by leveraging containers and Kubernetes. Jenkins X simplifies setting up CI/CD pipelines, promotes GitOps for environment management, and provides automated previews for pull requests. It enhances developer productivity and accelerates the software development process by automating many of the manual steps involved in deploying applications to Kubernetes. ### What is Skaffold? Skaffold is an open-source command-line tool that facilitates continuous development for Kubernetes applications. It automates the workflow for building, pushing, and deploying applications, allowing developers to iterate on their applications in real-time. Skaffold handles the workflow for building container images, pushing them to a registry, and deploying them to a Kubernetes cluster. It is designed to work in different stages of a development lifecycle, from local development to continuous integration. Skaffold streamlines the development and deployment process, making it more efficient and consistent. ### What is Crossplane? Crossplane is an open-source Kubernetes add-on that enables you to manage your infrastructure and services across multiple clouds directly from Kubernetes. It extends Kubernetes to allow you to declare, compose, and consume infrastructure through the Kubernetes API. Crossplane uses the Kubernetes control plane to manage external resources, such as cloud databases, storage systems, and Kubernetes clusters. It allows for a unified approach to configuration and deployment, enabling cloud-native applications to be composed alongside the infrastructure they depend on. Crossplane simplifies the management of cloud-native environments by bringing infrastructure as code to Kubernetes. Related Content [The Definitive Guide to Container Security Securing your containerized applications is a critical component of maintaining the integrity, confidentiality and availability of your cloud services.](https://www.paloaltonetworks.com/resources/ebooks/container-security-definitive-guide?ts=markdown) [Kubernetes Privilege Escalation: Excessive Permissions in Popular Platforms To understand the impact of excessive permissions, we analyzed popular Kubernetes platforms --- distributions, managed services, and common add-ons --- to identify infrastructure compo...](https://www.paloaltonetworks.com/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms?ts=markdown) [Container Security 101 Understanding the Basics of Securing Containers breaks down what organizations need to know to protect against breaches, malware, and malicious actors.](https://www.paloaltonetworks.com/resources/guides/prisma-container-security101?ts=markdown) [Guide to Operationalizing Your IaC Security Program Infrastructure as code (IaC) plays a key role in containerized applications. Get a step-by-step plan to help you choose your IaC security path based on your needs, operationalize a...](https://www.paloaltonetworks.com/resources/whitepapers/guide-to-operationalizing-your-iac-security-program?ts=markdown) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=Kubernetes%20and%20Infrastructure%20as%20Code&body=Kubernetes%20and%20infrastructure%20as%20code%3A%20boost%20efficiency%20and%20security%20in%20container%20orchestration%20with%20IaC%2C%20streamlining%20the%20application%20lifecycle%20and%20ensuring%20consistency.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/kubernetes-infrastructure-as-code) Back to Top [Previous](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown) How to Secure Kubernetes Secrets and Sensitive Data [Next](https://www.paloaltonetworks.com/cyberpedia/kubernetes-docker?ts=markdown) What Is the Difference Between Dockers and Kubernetes? {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language