In this section, we will further compromise your application running on a container and explain how CBC Container can help mitigate the risk using blocking posture
56. Restricting Policy Violation Actions
Now that you have exec access, you are able to take the execution steps further to expose and compromise the application. For the purpose of understanding your risk and how CBC Container can help you mitigate that risk we will move from alert into a blocking posture.
- Navigate to Enforce > K8 Policies select 'edit' on your configured Policy. Hit 'Next'
- Under Command dropdown, Modify Exec to container and Port Forwarding to Block.
- Hit Next > Next > Save.
57. Run proxy command
Now we will attempt to take the same actions on our second cluster protected via CBC Container Security Policy.
Let us try to execute the local proxy command again to reach the exposed dashboard service. You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies".
kubectl port-forward -n myapp service/dashboard 8080:8080
58. List myapp Pod
Once again, list all pods.
Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C
kubectl get pods -n myapp
59. Access myapp Container
Attempt to Exec to dashboard app
kubectl exec -it <dashboard-name> -n myapp -c dashboard bash
You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies"
60. View violations
On your local Browser, attempt to refresh the Dashboard once again. You will not be able to access the site anymore, verifying that CBC Container Security has restricted the vulnerable application.
Navigate to the CBC Console to Harden > K8s Violations to review the block notification verifying the enforcement of pod security standards.
61. Access Network Map
For demo purpose, a K8s cluster running on Azure is secured by your Testdrive VMware Carbon Black Cloud instance.
Navigate to the CBC Console to Inventory > Network, and in the cluster testdrive-network-map-demo click on View map
62. View Network Map
If nobody has browsed this cluster for 24 hours, you should see no connection between the 2 following namespaces of the application:
- acme-fe (frontend)
- acme-be (backend)
63. Browse the demo app
Browse this shopping website, it is a modern application demo running on this Kubernetes cluster.
Click on menu Catalog and add a product in your Cart to generate network traffic in the application.
64. View Network Map
When no namespace is selected, you have the visibility on:
- Ingress: connections from NodePorts and LoadBalancers
- Cross namespaces: connections between namespaces
- Egress: connections to public and private destinations
65. View internal Network Map
Select the namespace acme-be, you will see all internal connections.