Carbon Black Cloud Container Security - FAQ

Overview

The VMware Carbon Black Cloud Container Frequently Asked Questions (FAQs) document provides answers to some of the most popular Container questions. We will continue to grow this list of FAQs so check back regularly for updates.

For more information about Container, explore the Mastering Container Security The activity path provides step-by-step guidance to help you increase your understanding of the Carbon Black Container, including articles, videos, and labs.

You can also see the Carbon Black Container Security Overview which provides a basic overview of containers along with a demo.

Audience

This Container FAQ document is intended for existing or prospective Security administrators.

Operations

What Environments are Supported?

Kubernetes (open-source version on cloud or on-prem)
PKS/Tanzu, GKE (Google K8s Engine)
AKS (Azure K8s Service)
Amazon EKS
Open-Shift (RedHat).

Pre-Requisites for Installation

Kubernetes Security DevOps or Super Admin role assigned to you on the Carbon Black Cloud console.
Administrator privilege on your Kubernetes clusters
Kubernetes clusters have an admission control plugin with ValidatingAdmissionWebhook enabled.
Kubernetes clusters can be controlled using the Kubernetes command-line tool kubectl.
The Kubernetes cluster nodes can access the URL of the CBC environment for https requests on port 443. The URL is the CBC environment you are working with.
The Kubernetes cluster nodes can access the Event Stream URL for gRPC traffic on port 443.
The Kubernetes cluster nodes can pull container images from the Docker hub registry.

Cluster Resource Utilization

600MB of Memory
1 CPU core available

Additional Resources: VMware provides an open source web interface to inspect Kubernetes workloads: https://octant.dev/

Can I integrate CBC with in my Jenkins / CICD pipeline?

Yes, VMware Carbon Black Container can alert, block and scan within the CICD pipeline via cbctl. Capabilities include to:

Automated scan vulnerabilities in container images
Validation the compliance of a K8s resource like a deployment file and flag violations

For example in Jenkins:

Image Scanning

What is the cbctl (CLI Client)?

Carbon Black Cloud CLI Client scans container images and reports their health to the Carbon Black Cloud console.

Cbctl can be leveraged to:

Scan images for known vulnerabilities
Validate image for policy violations and return a list of violations
Validate Kubernetes object for policy violations and return a list of violations

Reference the Developer Relations website for more information.

What kind of Commands can I run?

$ cbctl [TYPE] [command] [NAME] [flags]

Top Examples:

$ cbctl image validate docker.io/octarinesec/nginx:latest

$ cbctl k8s-object validate -f my_resource.yaml

$ cbctl k8s-object validate -f my_dir

$ cat my_resource.yaml | cbctl workload validate

What kinds of Images can I scan?

You can scan all Linux container images.
cbctl will display vulnerabilities for npm, java, dpkg, apkg, GO... Full list of feeds is available here : https://docs.anchore.com/3.0/docs/overview/feeds/

Can I see Vulnerabilities across Endpoints, Workloads and Servers?

Yes on the Harden > Vulnerabilities Tab

Runtime policies

What is the learning period?

The learning period can be 1, 2 or 7 days.

During this period, workloads are monitored, and baseline behaviors is built

Can I modify the baseline behavior?

Yes, after the learning period, you can access the baseline in the policy details, and you can add:

public domain name
public domain and subdomains
public IP range (CIDR)
private domain name
private domain and subdomains
private IP range (CIDR)

On the alert page, you can use the "Add to baseline" option to add an URL/IP to the baseline in one click.

Will I get alerts during the learning period?

No, during the learning, CBC will build baseline behaviors, an alert will be created after the learning period.

Can CBC detect malicious destinations?

Yes, CBC can detect a connection to a destination with a know malicious reputation and create an alert:

CBC uses a third-party service to categorize network connections, you can check the risk of an URL/IP here:
https://www.brightcloud.com/tools/url-ip-lookup.php

Can CBC scan vulnerabilities for all containers?

Yes, CBC can scan automatically all containers running in K8s clusters, you can enable/disable this feature.

Hardening Policies

What templated policies are offered?

CBC Container deploys with 3 templated policies: Basic, Restrictive, and CIS Benchmark.

Template

Basic

Restrictive

CIS Benchmark 1.6.0

Industry Guidance

Kubernetes Baseline Pod Security Guidance

Kubernetes Restrictive Pod Security Guidance

CIS Pod Security Guidance

Notes

•Easy Adoption

•Prevents Privilege Escalation

•Non-Critical Applications

•Pod Hardening Best Practices

•May inhibit some compatibility

•Security Critical Applications –or- Low Trust Users

•Supports a Strong Security Posture

•Focus CIS section 5.2.x ‘Pod Security Policies’

Can I create custom rules?

You can add custom rules for Kubernetes Hardening policies, in order to:

limit allowed container image registries
add MAPL (Manageable Access-control Policy Language) rules, see https://github.com/octarinesec/MAPL
for governance reasons, add rules that are organization-specific. It could be : pod subnet is 10.244.0.0/16, and could be implemented with the following rule:

conditions:
 ANY:
   parentJsonpathAttribute: "jsonpath:$.spec.template.spec.containers"
   ANY:
     parentJsonpathAttribute: "jsonpath:$RELATIVE.env"
     AND:
       - attribute: "jsonpath:$RELATIVE.name"
         method: EQ
         value: "POD_SUBNET"
       - attribute: "jsonpath:$RELATIVE.value"
         method: NRE
         value: "10.244.*"

How do I apply policy on specific workloads?

Scopes can be used as filters or to apply the same security policies across the Kubernetes resources without affecting the rest of the setup.
A scope can be namespaces, cluster groups or clusters.

It is not possible to use K8s labels to define security scopes. Labels are not very secure, RBAC cannot be used to define which users can assign which labels.

This is key to ensure you can operate with confidence, opposed to built in admission controller rule which historically applied policies in an alphabetical manner.

Can I audit enforcement before applying new rules?

Yes, built into the workflow of Container policies the administrator is able to either Alert or Enforce a rule, and review the potential violations prior to enabling the newly configured rules.

Can I limit container registries for Kubernetes?

Yes, you can create a custom rule to specify registry domains that are allowed

Please keep in mind, that more than 51% of container images on DockerHub contain vulnerabilities that can be exploited .

General

How do I install the CBC Operator?

Simply following the Add Cluster guidance you will be able to install the cluster in 4 simple steps.

If you want to install CBC operator on OpenShift, or minikube or microk8s, you must override KUBECTL environment variable, before running install commands, for example:

# For OpenShift
export KUBECTL="oc"

# For microk8s
export KUBECTL="microk8s kubectl"

# For minikube
export KUBECTL="minikube kubectl"

How do I upgrade the CBC Operator?

Check the operator version in CBC Console in the menu Inventory / Kubernetes / K8s cluster.

For operator version prior to 2.0, you need to uninstall and reinstall a new operator.
For operator version 2.0 and above, you can update the operator using the "EDIT" feature in the dropdown menu in the "CLUSTER DETAILS" right panel.

How do I check if my cluster is protected by CBC?

$ kubectl get namespaces

cbcontainers-dataplane will show as Active.

How can I verify the CBC Container is working properly?

$ kubectl get pods -n cbcontainers-dataplane

Verify all components are running and active.
Enforcer, State Reporter, and Operator

How do I configure an HTTP proxy for CBC Container?

You can follow the below documentation to configure an HTTP proxy for CBC Container pods.

https://github.com/octarinesec/octarine-operator#using-http-proxy

How do I uninstall the CBC Container Operator?

You can delete your cluster from the CBC UI under the Inventory Tab.

Once deleted information will appear on how to remove the operator components.

Summary and Additional Resources

Conclusion

This document provided answers to the most popular Carbon Black Container FAQs.

Additional Resources