Scanning for security vulnerabilities with Pipeline

栏目: IT技术 · 发布时间: 4年前

内容简介:At Banzai Cloud we always strive to make things simpler and to make complex services available to our customers. We try to reduce the complexity of setting up components and services by automating as much setup as possible - to expose these for users in a

At Banzai Cloud we always strive to make things simpler and to make complex services available to our customers. We try to reduce the complexity of setting up components and services by automating as much setup as possible - to expose these for users in a transparent, easy to understand manner.

This effort led us to introduceintegrated services to the Banzai Cloud Pipeline platform. We have already written about whatintegrated services are, and we also have described a few of them, like automated public DNS management for Kubernetes clusters andcluster expiration.

Banzai Cloud Pipeline is a solution-oriented application platform which allows enterprises to develop, deploy, and securely scale container-based applications in multi- and hybrid-cloud environments. You can easily spin up a cluster on your favorite cloud provider and try the features the platform provides .

Integrated services are components available on the platform that are preconfigured with working defaults that provide basic functionality for operating clusters (for example, logging, monitoring, security scan, secret management, DNS, ingress, and backups).

This post describes the security scan integrated service.

tl;dr:you can simply enable the security scan integrated service for your cluster and make use of automatic pre-deployment or arbitrary on-demand image vulnerability scans.

Many of our clients come from various domains where they need to comply to strict rules and regulations concerning security auditing and regular security upgrades. The security scan integrated service helps them by automating some of these processes.

What is the security scan integrated service

The service scans the container images that make up an application for possible security issues, and allows or denies deploying the application based on the results of the scan. It does so by engaging a service deployed on the Pipeline control plane (Anchore) and configuring a webhook with the desired security policies. After enabling the service, you can also trigger individual image scans to examine vulnerabilities.

You can find more details about the security scan mechanism in our container vulnerability scans and Image validation with Anchore blog posts.

Scanning for security vulnerabilities with Pipeline

Enabling the security scan integrated service

Similarly to most of the integrated services, you can enable the security scan integrated service both from the Banzai Cloud Pipeline web interface, and the Banzai Cloud CLI tool.

Using the web interface

  1. Log in to your Pipeline web interface. If you don't have a Pipeline platform installed, you can register on our free developer preview installation and create a cluster there.

  2. Navigate to Cluster Management , then the cluster you want to configure. A sidebar opens.

  3. In the sidebar, click Security scan .

  4. If you already have an Anchore engine installation that you want to use, select Use external Anchore engine and specify the URL and the secret used to access the engine.

  5. Select the security policy you want to use in the Settings > Policy field.

    • Allow all and warn bundle : This policy is the most permissive. One can deploy anything, but it receives feedback about all the deployed images.
    • Reject critical bundle : Reject images that contain vulnerabilities with Critical CVSS Severity Rating.
    • Reject high bundle : Reject images that contain vulnerabilities with High CVSS Severity Rating.
    • Block root bundle : Prevent deploying images that contain apps running with root privileges.
    • Deny all images : Reject every image, except the ones explicitly permitted by a whitelist.
  6. Specify which namespaces should be scanned. By default, the scanning policy applies to every namespace (except the kubesystem and pipeline-system namespaces that cannot be scanned).

    • To specify the list of namespaces to scan, select Webhook settings > Type > Include , and select the namespaces to scan from the Namespaces field.
    • To specify a list of namespaces to exclude from the scan, and scan every other namespace, select Webhook settings > Type > Exclude , and select the namespaces that should not be scanned from the Namespaces field.
  7. Click ACTIVATE or SAVE ALL CHANGES .

Using the Banzai CLI tool

Open a shell and run the following command:

% banzai cluster service securityscan activate

Complete the interactive wizard, or specify the options in a file or on standard input:

% banzai cluster service securityscan activate --file - <<EOF
{
  "policy": {
      "policyId": "97b33e2c-3b57-4a3f-a12b-a8c0daa472a0"
  }
}
EOF

Deactivate the Security scan integrated service

Using the web interface

On the integrated service details page deactivate the service by clicking the deactivate button.

Using the Banzai CLI tool

Open a shell and run the following command:

% banzai cluster service securityscan deactivate

To demonstrate how to enable and use the security scan integrated service, let's do the following:

  1. Spin up a cluster on your favorite cloud provider with Pipeline.

  2. Enable the security scan integrated service (use the “built-in” Anchore to keep things simple).

    Scanning for security vulnerabilities with Pipeline

    Note: Select the Deny all images policy (no deployments will be allowed)

  3. On the MAIN MENU > Single Cluster deployments page click CREATE , and try to deploy an arbitrary application (helm chart) to the cluster.

    Scanning for security vulnerabilities with Pipeline

  4. Since earlier we configured the security scan service to deny every image, the application in the deployments list should be in REJECTED state.

    Scanning for security vulnerabilities with Pipeline

As expected the application is in rejected state.

By enabling the security scan integrated service you can easily ensure that the container images in the applications deployed to your cluster are secure. You can easily customize the security policy to fit the regulations and internal policies of your company.

For more details, check out the documentation of the Pipeline integrated services and the security scan integrated service .

Thank you for reading this post and please support us by starring our Pipeline GitHub repository, or by trying out the Banzai Cloud Pipeline platform for yourself.

About Banzai Cloud Pipeline

Banzai Cloud’sPipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of thePipeline platform.


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

微信小程序

微信小程序

牛建兵 / 清华大学出版社 / 2017-9-1 / 49.00

微信小程序从满城风雨到掀起创业热潮,再到一直不断地迭代更新,其每一次更新都会增加新能力,让使用变得越来越方便,同时也增加一批进军小程序的队伍。微信小程序作为现在互联网中的热点,它给创业者、投资者、程序员带来了福音。对创业者来说,小程序能大大降低他们的创业成本,同时也降低了投资者的投资风险。 本书注重实战,通过具体的案例分析,讲解微信小程序的市场状况、人员分工、小程序需求设计、小程序体验设计、......一起来看看 《微信小程序》 这本书的介绍吧!

MD5 加密
MD5 加密

MD5 加密工具

XML、JSON 在线转换
XML、JSON 在线转换

在线XML、JSON转换工具

html转js在线工具
html转js在线工具

html转js在线工具