In this section, we will configure Hardening and Template policies on CBC Console for the K8s cluster
Kubernetes default configurations, if not modified, can expose a high level of risk to an organization. Misconfigurations pose the highest risk to workload environments. In order to mitigate your organizational risk, security teams should start by enforce pod security standards. Pod Security Standards are defined by Kubernetes, as well as governance bodies such as CIS Benchmarks, which define what standard configurations should be modified in order to promote a better security posture.
To start enforcing these Pod Security Standards teams will typically segment/organize their environment by building scopes I.e. Dev, Production, Application etc to ensure your like assets are protected in a uniform manner. For the purpose of this demonstration we will segment your clusters into your personal scope.
- Navigate to Inventory > Scopes
- Select 'Add Scope' in top right to get started.
Focus of a scope can be over three type of resources: Container images | Deployment locations | Applications. The more specificity defined the higher it will sit in the hierarchy for resolution.
For this walkthrough set a name for the scope (for e.g. <user>-scope), select the focus of scope as Deployment locations
Add your cluster name in the Clusters selector by selecting it from the dropdown, then click Save.
Now that we have defined our demo scope, we will apply your preferred
K8s Hardening Policies to this scope.
Navigate to Enforce > K8s Policies > Hardening Policies > Add Policy
Now you are viewing the Rules page, this page contains a variety of preconfigured rule sets which can control K8s configurations for: Workload Security, Network, Quota, RBAC, Volume, Command and CRD.
To get started we will leverage the templated policies which contain the Pod Security Standard guidance.
Filter by rule template 'Restricted, and Select all 17 rules.
CBC Container Security provides several templated policies to enable organizations to adopt baseline configuration standards as defined by Kubernetes and CIS Benchmarks. These templated policies allow our customers to enforce continuous compliance and enable governance and control over security posture of containerized applications.
Once you have chosen the desired template policy hit Next.
Typically when applying Pod Security Standards organizations run against challenges verifying the operational impact they will experience. CBC Container Security builds the ability to identify impact in the policy build pipeline.
Review the built in violation simulation to get a picture of what workloads are violating these rules to-date and exclude or scope out where appropriate.