Carbon Black Cloud Container Security - FAQ

Overview

The VMware Carbon Black Cloud Container Frequently Asked Questions (FAQs) document provides answers to some of the most popular Container questions. We will continue to grow this list of FAQs so check back regularly for updates.

For more information about Container, explore the Mastering Container Security The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Container, including articles, videos, and labs.

You can also see the  Carbon Black Container Security Overview which provides a basic overview of containers along with a demo. 

Audience

This Container FAQ document is intended for existing or prospective Security administrators.

Operations

What Environments are Supported?
  • Kubernetes (open-source version on cloud or on-prem)
  • PKS/Tanzu, GKE (Google K8s Engine)
  • AKS (Azure K8s Service)
  • Amazon EKS
  • Open-Shift (RedHat).
Pre-Requisites for Installation
  1. Kubernetes Security DevOps or Super Admin role assigned to you on the Carbon Black Cloud console.
  2. Administrator privilege on your Kubernetes clusters
  3. Kubernetes clusters have an admission control plugin with ValidatingAdmissionWebhook enabled.
  4. Kubernetes clusters can be controlled using the Kubernetes command-line tool kubectl. Visit Github to learn more.
  5. The Kubernetes cluster nodes can access the URL of the CBC environment for https requests on port 443. The URL is the CBC environment you are working with.
  6. The Kubernetes cluster nodes can access the Event Stream URL for gRPC traffic on port 443.
  7. The Kubernetes cluster nodes can pull container images from the Docker hub registry.
Cluster Resource Utilization 
  • 600MB of Memory
  • 1 CPU core available

Additional Resources: VMware provides an open source web interface to inspect Kubernetes workloads: https://octant.dev/ 

 

Image Scanning

What is the cbctl (CLI Client)?

Carbon Black Cloud CLI Client scans container images and reports their health to the Carbon Black Cloud console.

Cbctl can be leveraged to:

  • Scan images for known vulnerabilities
  • Validate image for policy violations and return a list of violations
  • Validate Kubernetes object for policy violations and return a list of violations

Reference the Developer Relations website for more information.

What kind of Commands can I run?
$ cbctl [TYPE] [command] [NAME] [flags]

Top Examples:

$ cbctl image validate docker.io/octarinesec/nginx:latest
$ cbctl k8s-object validate -f my_resource.yaml
$ cbctl k8s-object validate -f my_dir
$ cat my_resource.yaml | cbctl workload validate
What kinds of Images can I scan?

You can scan all Linux container images.
cbctl will display vulnerabilities for npm, java, dpkg, apkg... Full list of feeds is available here : https://docs.anchore.com/3.0/docs/overview/feeds/

Can I see Vulnerabilities across Endpoints, Workloads and Servers?

Yes on the Harden > Vulnerabilities Tab

CBC Vulnerabilities View

 

Hardening

What templated policies are offered?

CBC Container deploys with 3 templated policies: Basic, Restrictive, and CIS Benchmark.

Template

Basic Restrictive CIS Benchmark 1.6.0
Industry Guidance Kubernetes Baseline Pod Security Guidance Kubernetes Restrictive Pod Security Guidance CIS Pod Security Guidance
Notes

•Easy Adoption

•Prevents Privilege Escalation

•Non-Critical Applications

•Pod Hardening Best Practices

•May inhibit some compatibility

•Security Critical Applications –or- Low Trust Users

•Supports a Strong Security Posture

•Focus CIS section 5.2.x ‘Pod Security Policies’

Can I create custom rules?

You can add custom rules for Kubernetes Hardening policies, in order to:

  • limit allowed container image registries
  • add MAPL (Manageable Access-control Policy Language) rules, see https://github.com/octarinesec/MAPL
  • for governance reasons, add rules that are organization-specific. It could be : pod subnet is 10.244.0.0/16, and could be implemented with the following rule:
conditions:
 ANY:
   parentJsonpathAttribute: "jsonpath:$.spec.template.spec.containers"
   ANY:
     parentJsonpathAttribute: "jsonpath:$RELATIVE.env"
     AND:
       - attribute: "jsonpath:$RELATIVE.name"
         method: EQ
         value: "POD_SUBNET"
       - attribute: "jsonpath:$RELATIVE.value"
         method: NRE
         value: "10.244.*"
How do I apply policy on specific workloads?

Scopes can be used as filters or to apply the same security policies across the Kubernetes resources without affecting the rest of the setup.
A scope can be namespaces, cluster groups or clusters.

This is key to ensure you can operate with confidence, opposed to built in admission controller rule which historically applied policies in an alphabetical manner.

Container Scopes

Can I audit enforcement before applying new rules?

Yes, built into the workflow of Container policies the administrator is able to either Alert or Enforce a rule, and review the potential violations prior to enabling the newly configured rules.

Review Policy Violations

 

General

How do I install the CBC Operator?

Simply following the Add Cluster guidance you will be able to install the cluster in 4 simple steps.

Add Cluster

How do I upgrade the CBC Operator?

You can not upgrade CBC operator, you need to uninstall and reinstall.
You can check operator version in CBC Console in the menu Inventory / Kubernetes / K8s cluster.

How do I check if my cluster is protected by CBC?
$ kubectl get namespaces

cbcontainers-dataplane will show as Active.

How can I verify the CBC Container is working properly?
$ kubectl get pods -n cbcontainers-dataplane

Verify all components are running and active.
Enforcer, State Reporter, and Operator

How do I uninstall the CBC Container Operator?

You can delete your cluster from the CBC UI under the Inventory Tab.

Once deleted information will appear on how to remove the operator components.

Uninstall of Container Cluster CBC Operator

 

Summary and Additional Resources

Conclusion

This document provided answers to the most popular Carbon Black Container FAQs.

 

Additional Resources

For more information about Container, explore the Mastering Container Security The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Container, including articles, videos, and labs.

You can also see the  Carbon Black Container Security Overview which provides a basic overview of containers along with a demo. 

Authors and Contributors

This document was created by:

Filter Tags

VMware Carbon Black Cloud Container Document FAQ Overview