Policy Action Violation Restriction

Updated on

In this section, we will further compromise your application running on a container and explain how CBC Container can help mitigate the risk using blocking posture

56. Restricting Policy Violation Actions

Now that you have exec access, you are able to take the execution steps further to expose and compromise the application. For the purpose of understanding your risk and how CBC Container can help you mitigate that risk we will move from alert into a blocking posture.

  • Navigate to Enforce > K8 Policies, click on the name of your configured Policy and click 'Next'.
  • Remove all rules using Remove All.
  • Under Command dropdown, Modify Exec to container and Port Forwarding to Block.
  • Select the right arrow to move Exec to container and Port Forwarding in the right panel.
  • Hit Next > Next > Save.

57. Run proxy command

Now we will attempt to take the same actions on our second cluster protected via CBC Container Security Policy. 

Let us try to execute the local proxy command again to reach the  exposed dashboard service. You will see that the request is denied by  CBC Container Security "Blocked by Kubernetes security policies".

kubectl port-forward -n myapp service/dashboard 8080:8080

58. List myapp Pod

Once again, list all pods.

Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C

kubectl get pods -n myapp

59. Access myapp Container

Attempt to Exec to dashboard app

kubectl exec -it <dashboard-name> -n myapp -c dashboard -- bash

You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies"

60. View violations

On your local Browser, attempt to  refresh the Dashboard once again. You will not be able to access the  site anymore, verifying that CBC Container Security has restricted the  vulnerable application. 

Navigate to the CBC Console to Harden -> K8s Events -> Events and click on sign (>) to review the block notification verifying the enforcement of pod security standards.

61. Access Network Map

For demo purpose, a K8s cluster running on Azure is secured by your Testdrive VMware Carbon Black Cloud instance.

Navigate to the CBC Console to Inventory > Network, and in the cluster testdrive-network-map-demo click on View map

62. View Network Map

Select Manage map settings, and toggle View system namespaces to ON, to get a full map of all past 24-hours network connections of a cloud native application running on Azure.

63. Browse the demo app

Browse this shopping website, it is a modern application demo running on this Kubernetes cluster. 

Click on menu Catalog and add a product in your Cart to generate network traffic in the application.

64. View Network Map

When no namespace is selected, you have the visibility on:

  • Ingress: connections from NodePorts and LoadBalancers
  • Cross namespaces: connections between namespaces
  • Egress: connections to public and private destinations

65. View internal Network Map

Select the namespace acme-be, you will see all internal connections.

Previous Article Violation Alert Generation
Next Article Support