In this section, we will further compromise your application running on a container and explain how CBC Container can help mitigate the risk using blocking posture
56. Restricting Policy Violation Actions
Now that you have exec access, you are able to take the execution steps further to expose and compromise the application. For the purpose of understanding your risk and how CBC Container can help you mitigate that risk we will move from alert into a blocking posture.
- Navigate to Enforce > K8 Policies, click on the name of your configured Policy and click 'Next'.
- Remove all rules using Remove All.
- Under Command dropdown, Modify Exec to container and Port Forwarding to Block.
- Select the right arrow to move Exec to container and Port Forwarding in the right panel.
- Hit Next > Next > Save.
57. Run proxy command
Now we will attempt to take the same actions on our second cluster protected via CBC Container Security Policy.
Let us try to execute the local proxy command again to reach the exposed dashboard service. You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies".
kubectl port-forward -n myapp service/dashboard 8080:8080
58. List myapp Pod
Once again, list all pods.
Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C
kubectl get pods -n myapp
59. Access myapp Container
Attempt to Exec to dashboard app
kubectl exec -it <dashboard-name> -n myapp -c dashboard -- bash
You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies"
60. View violations
On your local Browser, attempt to refresh the Dashboard once again. You will not be able to access the site anymore, verifying that CBC Container Security has restricted the vulnerable application.
Navigate to the CBC Console to Harden -> K8s Events -> Events and click on sign (>) to review the block notification verifying the enforcement of pod security standards.
61. Access Network Map
For demo purpose, a K8s cluster running on Azure is secured by your Testdrive VMware Carbon Black Cloud instance.
Navigate to the CBC Console to Inventory > Network, and in the cluster testdrive-network-map-demo click on View map
62. View Network Map
Select Manage map settings, and toggle View system namespaces to ON, to get a full map of all past 24-hours network connections of a cloud native application running on Azure.
63. Browse the demo app
Browse this shopping website, it is a modern application demo running on this Kubernetes cluster.
Click on menu Catalog and add a product in your Cart to generate network traffic in the application.
64. View Network Map
When no namespace is selected, you have the visibility on:
- Ingress: connections from NodePorts and LoadBalancers
- Cross namespaces: connections between namespaces
- Egress: connections to public and private destinations
65. View internal Network Map
Select the namespace acme-be, you will see all internal connections.