The Open Horizon project, contributed by IBM to the Linux Foundation, developed a solution to automate complex edge computing workload and analytics placement decisions. Open Horizon also provides end-to-end security for the deployment process using security best practices. As a result of its rigorous adherence to recommended procedures, the Open Horizon project recently earned the OpenSSF Best Practices badge.
While Open Horizon provides secure container deployment, it cannot guarantee that a container is free of flawed code or other vulnerabilities that could put the system at risk, nor that a container is inherently safe from someone else’s malicious workloads running on the same host. That’s where a dynamic runtime security solution like KubeArmor comes in.
KubeArmor is an open-source project at CNCF (Cloud Native Computing Foundation) foundation that secures containerized workloads. But until recently it only did so within Kubernetes clusters. AccuKnox, in conjunction with KubeArmor and Open Horizon, added additional coverage to KubeArmor to ensure the security of deployed workloads on both Kubernetes clusters and bare Linux hosts running a container engine like Docker or podman.
KubeArmor provides deep visibility into the behavior of the deployed workload, including network, process, and file operations. This information is vital when making policy decisions related to workload security. In the context of Open Horizon, it was interesting to observe the runtime behavior of the anax agent and the containerized edge workloads that it deployed.
After thorough evaluation and approval by IBM developers, AccuKnox contributed the integration code to the Open Horizon project. The contribution was significant enough to qualify AccuKnox for membership in the Open Horizon project as a partner and voting member. The Technical Steering Committee then voted to invite AccuKnox to join based on the value of their work and the strength of their contribution.
To learn more about the Open Horizon project and how anax automates workload placement, consider attending the project’s Agent Working Group meetings. The KubeArmor integration code is available in the GitHub repository.