View on GitHub

ibm-security-workshop

IBM Security Workshop Labs

Image Security deployment enforcement controls

The enforcement controls for image security deployment helps you to verify the images before deploying them to the IBM Cloud Kubernetes service. Using this, you can define vulnerability advisor policies and also ensure that content trust is properly applied to the image. If the requirements are not met, the pod will not be deployed.

Configuring your CLI to run kubectl

  1. Login to IBM Cloud CLI.

ibmcloud login

If using federated id, use ibmcloud login --sso

  1. Choose your account and select the organization where the cluster resides.

ibmcloudlogin

  1. Target the resource group.

ibmcloud target -g <resource_group> -r <region>

resourceGrp

  1. Target the region.

ibmcloud ks region-set <region>

region

  1. Set the context for the cluster.

ibmcloud ks cluster-config <your_cluster_name>

clusterContext

  1. Export the KUBECONFIG environment variable from the previous step.

export KUBECONFIG=/Users/<users-name>/.bluemix/plugins/container-service/clusters/DemoRG-cluster/kube-config-fra02-DemoRG-cluster.yml

Setting Up Helm

  1. You need Helm CLI on your local machine. If not installed, follow the instructions here.

  2. Check if tiller is installed in your cluster.

kubectl get serviceaccount --all-namespaces | grep tiller

If it is installed, you will see something like below.

TillerInstalled

  1. If tiller is installed, do the below.

Create a cluster role binding.

kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=<namespace>:tiller -n <namespace>

TillerClusterBinding

Update tiller.

helm init --upgrade --service-account <tiller_service_account_name>

TillerUpdate

Verify tiller status.

kubectl get pods -n <namespace> -l app=helm

TillerUpdateStatus

  1. If tiller is not installed, do the below.

Create a Kubernetes service account and cluster role binding for Tiller in the kube-system namespace.

kubectl create serviceaccount tiller -n kube-system
kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller -n kube-system

TillerCreation

Verify if it is created.

kubectl get serviceaccount -n kube-system tiller

VerifyTiller

Initialize helm CLI and install tiller.

helm init --service-account tiller

HelmInit

Verify the status.

kubectl get pods -n kube-system -l app=helm

TillerStatus

Installing Container Image Security Enforcement

Install the IBM Container image security enforcement using the helm chart from the IBM chart repository.

Add the ibm repo.

helm repo add ibm https://icr.io/helm/ibm

ibmRepo

helm install --name cise ibm/ibmcloud-image-enforcement

cise

With this you get some default policies.

Default policies

  1. To get the cluster wide policy, run

kubectl get clusterimagepolicy

GetClusterImagePolicy

To get the description, run

kubectl describe clusterimagepolicy ibmcloud-default-cluster-image-policy

describeClusterImagePolicy

  1. To get the kube system policy, run

kubectl get imagepolicy -n kube-system

getKubeImagePolicy

To get the description, run

kubectl describe imagepolicy ibmcloud-image-policy -n kube-system

describeKubeImagePolicy

  1. To get the IBM system policy, run

kubectl get imagepolicy -n ibm-system

getIBMImagePolicy

To get the description, run

kubectl describe imagepolicy ibmcloud-image-policy -n ibm-system

describeIBMImagePolicy

Customize the policies.

  1. To override the existing policies, we can do the following.
  1. Let us now edit the ibmcloud-default-cluster-image-policy.

kubectl edit ClusterImagePolicy ibmcloud-default-cluster-image-policy

You will see something like below.

defaultpolicy

Change the repository name from * to docker.io and save it.

editedpolicy

Once it gets edited, the changes will apply.

customPolicy

Here, previously our cluster image policy allows to use the images from any repository where as now we restricted it to only use the images from docker.io. In this way, you can define your own policies based on the requirements.

  1. If you want to create a complete new ClusterImagePolicy, create a kubernetes custom resource definition like below.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: <ClusterImagePolicy_or_ImagePolicy>
metadata:
  name: <crd_name>
spec:
   repositories:
    - name: <repository_name>
      policy:
        trust:
          enabled: <true_or_false>
          signerSecrets:
          - name: <secret_name>
        va:
          enabled: <true_or_false>

and then do kubectl apply -f <your_file>