Editor’s note: Rancher Labs’ William Jimenez provides an introduction to CIS Scan. Then Saiyam Pathak takes over with a hands-on demo. Cluster security is critical to any successful Kubernetes strategy. Recent research by AimPoint revealed that 44 percent of respondents had delayed application production due to security concerns around Kubernetes containers. Yet securing Kubernetes is a complex machine with many moving parts, integrations and knobs and levers.

Recently the leadership at Rancher Labs challenged all of us to think about ways we can contribute to the community during this current crisis. Coming up with ways to help in such an overwhelming situation is quite daunting. Since most needs are medical related, finding ways to apply software isn’t obvious. When I heard about Folding@home’s (FAH) efforts to reprioritize their computing resources toward COVID-19 research, I was immediately curious.

Containers are becoming the new computing standard for many businesses. New technology does not protect you from traditional security concerns. If your containers handle any sensitive data, including personally identifiable information (PII), credit cards or accounts, you’ll need to take a ‘defense in depth’ approach to container security. The CI/CD pipeline is vulnerable at every stage, from build to ship to runtime.

Delivering rapid innovation to your users is critical in the fast-moving world of technology. Kubernetes is an amazing engine to drive that innovation in the cloud, on-premise and at the edge. All that said, Kubernetes and the entire ecosystem itself changes quickly. Keeping Kubernetes up to date for security and new functionality is critical to any deployment.

Today I’m excited to announce Fleet, a new open source project from the team at Rancher focused on managing fleets of Kubernetes clusters. Ever since Rancher 1.0 shipped in 2016, Rancher has provided a central control plane for managing multiple clusters. As pioneers of Kubernetes multi-cluster management, we have seen firsthand how users have consistently increased the number of clusters under management.

We’ve heard from many of our customers and prospects that they love Rancher but just don’t have the staff and expertise to operate the platform. Figuring out the compute, storage and networking architecture can be a challenge. Performing upgrades, backups and troubleshooting can also be time consuming. Monitoring the environment and knowing when to scale up or down, horizontally or vertically, is yet another thing to worry about.

Rancher 2.4 is here – with new under-the-hood changes that pave the way to supporting up to 1 million clusters. That’s probably the most exciting capability in the new version. But you might ask: why would anyone want to run thousands of Kubernetes clusters – let alone tens of thousands, hundreds of thousands or more? At Rancher Labs, we believe the future of Kubernetes is multi-cluster and fully heterogeneous.

Runtime security for Rancher environments requires putting controls in place to detect unexpected behavior that could be malicious or anomalous. Even with processes in place for vulnerability scanning and implementing pod security policies and network policies in Rancher, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective and provide a last line of defense when they fail.

Longhorn is cloud-native distributed block storage for Kubernetes that is easy to deploy and upgrade, 100 percent open source and persistent. Longhorn’s built-in incremental snapshot and backup features keep volume data safe, while its intuitive UI makes scheduling backups of persistent volumes easy to manage. Using Longhorn, you get maximum granularity and control, and can easily create a disaster recovery volume in another Kubernetes cluster and fail over to it in the event of an emergency.

Prometheus is an open-source system for monitoring and alerting originally developed by Soundcloud. It moved to Cloud Native Computing Federation (CNCF) in 2016 and became one of the most popular projects after Kubernetes. It can monitor everything from an entire Linux server to a stand-alone web server, a database service or a single process. In Prometheus terminology, the things it monitors are called Targets. Each unit of a target is called a metric.