Cisco
Login
Search
Software Secure Workload
Activity Configure

Deploy Software Agents on Workloads Deploy Software Agents Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement Kubernetes or OpenShift Overview

Last updated: Jun 09, 2025

Kubernetes or OpenShift Overview

Container orchestration platforms allow to define and enforce security policies, such as network policies, pod security policies, and role-based access control (RBAC), to further enhance the security of containerized applications. Cisco Secure Workload uses Kubernetes to automate the deployment, scaling, and management of containerized applications. It provides detailed visibility into the state and performance of containerized workloads. On the other hand, OpenShift builds on Kubernetes, adding enterprise-grade features such as enhanced security, developer tools, and management capabilities.

Key Concepts

  • Namespaces : A namespace is a logical way to divide a cluster into multiple virtual subclusters.

  • Pods: A pod is the smallest unit in the Kubernetes object model that you can create or deploy. A pod represents a single instance of a running process in your cluster and can contain one or more containers.

  • Node: A node is a machine in the cluster, either physical or virtual, that runs applications in containers. Each node is managed by the Kubernetes control plane.

  • Services: Services define a logical set of pods and policies for accessing them. Services enable loose coupling between dependent Pods, making it easier to manage microservices architectures.

  • Sidecar Container: A sidecar container in Kubernetes is an extra container that runs alongside the main application container in the same Pod. This setup allows the sidecar container to share the network, storage, and lifecycle with the main container, enabling them to work closely together.

  • Service Mesh: A Service Mesh in Kubernetes manages microservice communication, enhancing security, reliability, and observability with advanced traffic management and monitoring capabilities.

Control Pane Components

You can access the Kubernetes control panel through the UI or use the command Kubectl to access from CLI.

  • API Server: The API server is the central management entity that exposes the Kubernetes API, handling all internal and external requests and serving as the front end of the control plane.

  • Scheduler: The scheduler is responsible for assigning pods to nodes based on resource requirements, constraints, and availability.

  • Controller-Manager: Runs various controllers that regulate the state of the cluster which ensure that the desired state of the cluster matches the actual state.

  • etcd: etcd is a distributed key-value store that Kubernetes uses for all its cluster data storage needs

Node Components

  • kubelet: The kubelet is an agent on each node that ensures containers in pods are running and reports their status to the control plane.

  • kube-proxy: The kube-proxy is a network proxy on each node that manages network rules and balances traffic, ensuring services are accessible and connections reach the right pods.

  • Container Runtime: The container runtime is the software responsible for running containers.

Kubernetes/OpenShift deployment in Cisco Secure Workload

The deployment comprises four major components:

  1. The Control or Management Pane that reside on either an on-premises Secure Workload cluster or a Secure Workload tenant hosted on SaaS

  2. The Secure Workload Orchestrator or Connector, established within the management plane, engages with Kubernetes cluster APIs for EKS, AKS, GKE, OpenShift or Unmanaged Kubernetes. This interaction allows enhanced visibility into pod and service metadata, providing details such as pod IDs, annotations, or labels. For more information, see Kubernetes/OpenShift.

  3. The Kubernetes Daemonset is deployed to the Kubernetes or OpenShift cluster intended for security measures. The Daemonset ensures the continuous operation of the Secure Workload agent or pod on each Kubernetes or OpenShift node. For more information, see Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement.

  4. Activating the Vulnerability Scanner initiates a scan on one of the pods within the Kubernetes nodes. This scanner oversees every container image in the Kubernetes or OpenShift cluster, reporting the identified CVEs to the Control or Management plane.

Previous topic Install Kubernetes or OpenShift Agents for Deep Visibility and Enforcement Next topic Requirements and Prerequisites