Aqua Security - Container Security That Actually Works

Aqua scans your container images for vulnerabilities, malware, and secrets - like every other security tool nowadays. But they were doing it back in 2015 when Docker was version 1.7 and most enterprises wouldn't touch containers with a ten-foot pole.

The Core Stuff That Works

Container Image Scanning: They hook into your CI/CD pipeline and scan images during builds. Unlike Twistlock (before Palo Alto bought them and made everything slower), Aqua usually finishes scans in under 3 minutes for normal images. Catches CVEs, hardcoded passwords, and malicious packages that some jackass developer inevitably includes - like that time someone npm installed a bitcoin miner thinking it was a legit crypto library.

Runtime Protection: Once your containers are running, Aqua watches for suspicious behavior. If something starts making network calls to sketchy domains or writing files where it shouldn't, it'll flag or block it. This caught crypto miners in our staging cluster back in March 2024 - they were mining some shitcoin called Monero and maxing out our t3.medium nodes.

Kubernetes Security: Probably their strongest feature. They actually understand Kubernetes YAML and catch misconfigurations before they hit production. Running as root, missing network policies, overly permissive RBAC - all the dumb shit that keeps you up at night wondering if you're about to get pwned.

The Enterprise Marketing Bullshit (That's Actually Useful)

They call themselves "CNAPP" now - Cloud Native Application Protection Platform. Sounds like marketing garbage, but it means they handle:

• Cloud posture checking: Scans your AWS/Azure/GCP configs for the obvious mistakes everyone makes
• Runtime workload protection: Behavioral analysis for running containers that actually works
• Supply chain security: Making sure your base images and dependencies aren't compromised by some supply chain attack

Real Integration Experience

Their Kubernetes integration is actually solid. I've deployed it on three different clusters (EKS 1.24, GKE 1.23, and one cursed on-prem cluster running K8s 1.21) and it usually works without breaking everything. The admission control webhook occasionally fucks up deployments during busy periods - we hit this during a particularly brutal Monday morning deployment rush when everyone decided to push at once.

AWS integration is smooth if you're using EKS. Other clouds work but feel like afterthoughts - GKE works fine, AKS is hit-or-miss. The Jenkins plugin is decent but times out on images over 2GB, which is basically every Java app we've ever built.

New AI Security Features (Mostly Bullshit)

They shoved AI security features into the product in early 2025 because apparently every enterprise tool needs "AI" in the marketing slides now. 90% of it is pure vendor theatre - prompt injection detection, model scanning, whatever. Sure, the prompt injection stuff might catch something if you're crazy enough to run LLMs in production containers, but show me one company actually doing that without losing sleep.

What Actually Breaks

• Setup takes longer than their sales demo suggests (plan a weekend, not a Tuesday afternoon) - learned this when we tried to deploy during a "quick maintenance window"
• Resource usage is heavier than their docs claim - we hit around 50% CPU overhead during security scan bursts on our EKS 1.24 cluster
• PostgreSQL backend will choke if you don't tune it properly (their default max_connections=100 is laughable for anything beyond dev)
• GitLab integration is half-baked compared to their GitHub and Jenkins plugins - the documentation writers clearly never actually used this feature

Setting up Aqua Security is not the "seamless integration" their sales team promises. Here's what actually happens when you try to deploy this thing in the real world.

SaaS vs Self-Hosted: The Real Trade-offs

Aqua SaaS (The Easy Button)

• Good: No infrastructure management, automatic updates, works in 30 minutes
• Bad: Your image data leaves your environment, limited customization, recurring costs that'll hurt your budget
• Gotchas: Compliance nightmare if you handle PII or payment data, bandwidth costs that nobody warns you about

Self-Hosted (The Control Freak Option)

• Good: Data stays in your environment, full control, no recurring SaaS fees
• Bad: You manage PostgreSQL, Redis, and all the infrastructure pain that comes with it
• Reality: Plan 2-3 days for initial setup if you know what you're doing, ongoing maintenance that'll eat your weekends

I've deployed both. Unless you have strict data residency requirements, go SaaS.

Agent Deployment Hell

The Enforcer Agent runs as a DaemonSet on every Kubernetes node. Sounds simple, right? Wrong.

What Works:

• EKS with standard AMIs - usually deploys cleanly
• Adequate resources (2GB RAM minimum per node, despite what docs say)
• Standard CNI like Calico or Flannel

What Breaks:

• Custom kernel modules or hardened nodes
• Resource-constrained nodes (looking at you, t3.small)
• Exotic CNI setups or service mesh configurations
• ARM64 nodes (support exists but feels half-baked)

Pro tip: Test the agent on a single node first. When it breaks your networking (and it fucking will), you don't want to spend your weekend explaining why the entire production cluster is down. We learned this lesson during a Friday afternoon deployment - classic mistake that every ops team makes exactly once. The DaemonSet rolled out to all 47 nodes, hit some weird iptables conflict with our service mesh, and suddenly nothing could talk to the API server. Took 6 hours to unfuck. Fun fact: this also breaks if your username has a space in it, because apparently nobody at Aqua has heard of basic input sanitization.

CI/CD Integration: The Good and Ugly

Jenkins Plugin: Works but occasionally times out on large images (>2GB). Set your build timeout to 15+ minutes.

GitHub Actions: Their official action works well. Takes about 2-3 minutes for average images.

GitLab CI: Integration exists but feels like an afterthought. You'll end up writing your own wrapper scripts.

The Database Situation

If you go self-hosted, you're running PostgreSQL and Redis. Their documentation undersells the resource requirements:

• PostgreSQL: Start with 4 cores, 16GB RAM minimum for production
• Redis: 8GB RAM minimum for caching scan results
• Storage: Plan for 500GB+ if you're scanning lots of images - I think it was like 600GB? Maybe more? One of our Java monoliths with 47 dependencies just ate disk space

Backup strategy: Critical. Losing the database means re-scanning everything. Plan for automated backups and test restores.

Performance Reality

Their marketing claims are optimistic:

• "Microsecond response times" - This is bullshit for policy decisions that involve network calls
• "Thousands of images daily" - True, but each scan takes 2-5 minutes depending on image size
• "Minimal overhead" - Plan for 10-15% CPU overhead from the runtime agent

Multi-Cloud Truth

AWS: First-class support. Everything works as advertised.
Azure: Good support, occasional quirks with AKS networking
GCP: Works but feels less polished. GKE integration is solid.
Multi-cloud: Possible but you'll manage multiple deployments, not one unified one

Compliance Checkbox Theater

Yes, they have SOC 2 and ISO 27001. But if you need FedRAMP, expect a longer sales cycle and higher costs.

What Nobody Tells You

• Initial setup: 2-3 days minimum, not hours
• Resource overhead: Budget 15-20% more compute than your current workload
• Support quality: Good if you pay for premium, typical enterprise "have you tried turning it off and on again" otherwise
• Maintenance: Plan for quarterly updates and occasional troubleshooting

Should You Self-Host?

Yes if: You have strict data residency requirements, dedicated ops team, budget for infrastructure
No if: You want something that just works, small team, prefer operational simplicity

Most teams should use the SaaS version unless they have compelling reasons not to.