Today we are excited to announce support for Kubernetes within EdgeBit, enabling companies to gain easy insights into software vulnerabilities within their clusters in addition to their cloud machines and bare metal servers.

DaemonSet Based Agent Deployment

Deploying the EdgeBit agent on Kubernetes clusters is now as easy as kubectl deploy.

By deploying the agent as a DaemonSet, the administrators can use the standard Kubernetes tooling and avoid installing it directly on the host via a tarball or a package manager.

For those who use Docker directly, the same container image can also be deployed via Docker.

The Kubernetes installation instructions explain how to get started quickly.

Tracking Kubernetes Container Pods

Whether the EdgeBit Linux agent is deployed as a DaemonSet or directly on the Node, EdgeBit now tracks Kubernetes Pods to surface running containers and their dependencies in-use.

This unlocks the same level of insight as what’s currently available on the host — it allows to filter out the vulnerabilities in dormant dependencies and focus the remediation on the most salient threats.

Future releases will annotate the containers with additional Kubernetes hierarchy such as the Namespace, Service or Deployment a Pod is a part of.

In addition, the agent will export resource labels to allow for better querying and filtering capabilities.

Signing with GitSign & SigStore

As a software supply chain company we strive to adopt best-in-class tools to secure our own releases.

One of the tools we are most excited about is SigStore. This release starts our SigStore journey by using GitSign to sign the Git tags from which our agent releases are built. GitSign keyless signing combines ephemeral private keys with a tamper-proof transparency log, enabling us to sign Git tags without storing private keys, and enabling our customers to easily and confidently audit exactly what we are signing.

This is in stark contrast to traditional code signing workflows, which utilize easy-to-leak and impossible-to-audit long-lived signing keys.

Today we are signing Git tags as part of a GitHub Workflow, in which we authenticate to SigStore using the OIDC identity of the Workflow itself. The v0.3.0 release is viewable in the Rekor transparency log.

In future releases we will expand signing both “up” the supply chain, by signing release artifacts, and “down” the supply chain by signing individual commits.