Break New Ground

Incorporating DevSecOps into Oracle Container Engine for Kubernetes with Check Point's Infinity Architecture

Sherwood Zern, Jeff Engel, Check Point, and Cloud Alliance Architect

Oracle Cloud Infrastructure continues to embrace open source technologies and the developer communities that support them. With the rapid adoption of cloud native technologies and DevOps methodologies, we've heard from many organizations that they want an open cloud that avoids vendor lock-in and allows them to run what they want, whether or not it's built by the cloud provider.

As part of Oracle's continuing commitment to open standards and supporting a broad and varied ecosystem, we're pleased to announce that Check Point has extended its most complete real-time threat prevention against Gen V cyber-attacks to Oracle Cloud Infrastructure.

This post was written in collaboration with guest contributor Jeff Engel, Cloud Alliance Architect, Check Point.

As application developers, our goal is to produce secure, robust code that meets business needs and is easy to maintain, extend, and support with the least effort. Within that framework, the challenge of securing our code can be a never-ending whack-a-mole exercise that robs us of precious development time. Evolving new exploits and obscure attack vectors have created the new role of DevSecOps to protect vital corporate assets from application vulnerability exposure.

Best practices now require automated solutions, integrated into robust CI/CD pipelines that provide threat prevention from both known and unknown vulnerabilities.

What containers are running in my environment? How do I ensure that my environments are configured to meet industry security benchmarks? Looks like these questions open a set of challenging tasks in order to answer them.

However, with CloudGuard Security Posture Management you can easily manage the security and compliance of your Kubernetes clusters, whether they are on the public or private cloud.

The onboarding process is simple. Deploy Check Point helm chart in your cluster and the agents will start collecting cluster and workload information.

Once the setup is completed, it is time to take advantage of CloudGuard platform capabilities. At this moment in time, CloudGuard provides, out of the box 87 rules defined for Kubernetes environments. These rules cover industry standards like CIS benchmark and NIST.

Additionally, you can build your own policies, using Governance Specification Language (GSL), a language specification that is human readable and comes with an integrated editor that makes the creation of rules very intuitive.

The rules can be exported into JSON format. Using the CloudGuard API, rules can be updated programmatically, enabling CloudGuard to fit in any automation process.

Containers running in the cluster are analyzed for vulnerabilities that could become a risk for the application. In the alerts panel, you can filter all the alerts for your environments.

You can dig deeper into the specific container image to find all vulnerabilities associated with it.


CloudGuard Log.ic for Kubernetes consumes flow logs that are generated in the k8s cluster to analyze and visualize traffic flows. With this, you can identify traffic from unwanted sources, or gaps in network security settings. For Example:

  • Outbound traffic to malicious IP Addresses
  • Port scanning of an internal asset from a Kubernetes Pod
  • Outbound traffic to Tor exit node from within a Kubernetes cluster
  • Inbound accepted traffic to a Kubernetes cluster from a malicious IP address
  • K8s DNS Spoofing

K8s Pod Access to MetaData

Even though we barely covered a few key features, with CloudGuard CSPM cloud security operations teams can gain full visibility, compliance and control of their security posture, allowing them to detect misconfigurations, protect against vulnerabilities, and respond to incidents and alerts in a faster and more effective way.

The Check Point Infinity architecture provides the tools you need to protect both your Oracle Container Engine for Kubernetes (OKE) environment with continuous posture management evaluation and your container-based applications with Infinity Next WAAP (web application and API protection).

If you want to experience Check Point with OKE for yourself, sign up for an Oracle Cloud Infrastructure trial account and start a free Check Point Trial. With Oracle Cloud Container Engine for Kubernetes and Check Point, enterprises can deploy Kubernetes with confidence.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.