TestDrive

Policy Action Violation Restriction

Updated

In this section, we will further compromise your application running on a container and explain how CBC Container can help mitigate the risk using blocking posture

56. Restricting Policy Violation Actions

Now that you have exec access, you are able to take the execution  steps further to expose and compromise the application. For the purpose  of understanding your risk and how CBC Container can help you mitigate  that risk we will move from alert into a blocking posture.

  • Navigate to Enforce > K8 Policies select 'edit' on your configured Policy. Hit 'Next'
  • Under Command dropdown, Modify Exec to container and Port Forwarding to Block.
  • Hit Next > Next > Save.

57. Run proxy command

Now we will attempt to take the same actions on our second cluster protected via CBC Container Security Policy. 

Let us try to execute the local proxy command again to reach the  exposed dashboard service. You will see that the request is denied by  CBC Container Security "Blocked by Kubernetes security policies".

kubectl port-forward -n myapp service/dashboard 8080:8080

58. List myapp Pod

Once again, list all pods.

Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C

kubectl get pods -n myapp

59. Access myapp Container

Attempt to Exec to dashboard app

kubectl exec -it <dashboard-name> -n myapp -c dashboard bash

You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies"

60. View violations

On your local Browser, attempt to  refresh the Dashboard once again. You will not be able to access the  site anymore, verifying that CBC Container Security has restricted the  vulnerable application. 

Navigate to the CBC Console to Harden > K8s Violations to review the block notification verifying the enforcement of pod security standards.

61. Access Network Map

For demo purpose, a K8s cluster running on Azure is secured by your Testdrive VMware Carbon Black Cloud instance.

Navigate to the CBC Console to Inventory > Network, and in the cluster testdrive-network-map-demo click on View map

62. View Network Map

If nobody has browsed this cluster for 24 hours, you should see no connection between the 2 following namespaces of the application:

  • acme-fe (frontend)
  • acme-be (backend)

63. Browse the demo app

Browse this shopping website, it is a modern application demo running on this Kubernetes cluster. 

Click on menu Catalog and add a product in your Cart to generate network traffic in the application.

64. View Network Map

When no namespace is selected, you have the visibility on:

  • Ingress: connections from NodePorts and LoadBalancers
  • Cross namespaces: connections between namespaces
  • Egress: connections to public and private destinations

65. View internal Network Map

Select the namespace acme-be, you will see all internal connections.

Previous Article Violation Alert Generation
Next Article Support