Explore how to use the StackRox Kubernetes Security Platform to identify potential security risks in images during build time and act to protect your environment.
You can use the StackRox Kubernetes Security Platform to identify potential security vulnerabilities and misconfigurations before you deploy your containers. It helps you to identify and correct security issues at build time, which is faster, more secure, and less expensive than fixing them during later phases of the container lifecycle.
In a typical continuous integration and deployment (CI/CD) pipeline, application container images use a Linux base image that contains several common components and dependencies, along with your development build products. These additional components and dependencies may suffer from a variety of vulnerabilities, and if left unaddressed, they become a part of your runtime container environment.
You can use the StackRox Kubernetes Security Platform policies during build time in your CI/CD pipeline
to identify and control security risks in images before they run as a container.
You can configure build-time policies by using the
roxctl command-line tool.
For more information, see Use the CLI.
Go through the following evaluation scenarios to learn how to apply and use build-time policies.
This example demonstrates how the StackRox Kubernetes Security Platform build-time policies can fail a build process as soon as a severe vulnerability is identified in an image.
- Navigate to Platform Configuration > System Policies.
- In the Policies view, enter Fixable in the filter box and press Enter.
- For the Fixable CVSS >= 7 policy, note that the Lifecycle column lists both Build and Deploy. This means that the StackRox Kubernetes Security Platform detects the presence of this vulnerability in images at both stages.
- Select Fixable CVSS >= 7.
- Review policy attributes and note the Rationale and Remediation fields.
- In the policy information panel header, select Edit.
- Select Next in the panel header to review the policy effects on running deployments.
- Select Next again to review the enforcement options.
- Select On for both build and deploy enforcement behavior.
- Select Save.
After you enable this policy, you can use
roxctl to check any image which
violates this policy.
Before you proceed, you must:
- Generate an access token.
- Export the following variables:
export ROX_API_TOKEN=<api-token> export ROX_CENTRAL_ADDRESS=<address>:<port-number>
roxctl -e $ROX_CENTRAL_ADDRESS image check --image docker.io/vulnerables/cve-2017-7494
roxctl runs an image check, it requests Central to perform the check,
evaluate policy, and return the result. The result includes all policy
violations, policy rationale, and available remediation steps. Policy failure is
indicated by the process exit code, which is non-zero if the image violates any
policy marked for build-phase enforcement
and zero otherwise.
You can incorporate
roxctl into a CI/CD build pipeline, and configure your CI
system to stop building if
roxctl returns a non-zero exit code.
The StackRox Kubernetes Security Platform also includes a native Jenkins plugin.
This example showcases the StackRox Kubernetes Security Platform’s visibility and control over Kubernetes deployment attributes at build time, before an application is deployed, and how the StackRox Kubernetes Security Platform shortens the time to discover and correct workflow and configuration errors.
Consider the following
apiVersion: v1 kind: Service metadata: name: ubuntu-lb labels: app: ubuntu spec: ports: - port: 22 selector: app: ubuntu type: LoadBalancer --- apiVersion: apps/v1 kind: Deployment metadata: name: ubuntu labels: app: ubuntu spec: selector: matchLabels: app: ubuntu template: metadata: labels: app: ubuntu spec: containers: - name: ubuntu image: ubuntu:18.04 ports: - containerPort: 22
This file declares an example deployment from a public image, and attempts to expose the service on that deployment on TCP port 22, typically reserved for SSH.
roxctlto check this deployment, by using the
roxctl -e $ROX_CENTRAL_ADDRESS deployment check --file deployment.yaml
The output lists the failure code and policy violation details.
✗ Deployment ubuntu failed policy 'Secure Shell (ssh) Port Exposed' - Description: ↳ Alert on deployments exposing port 22, commonly reserved for SSH access. - Rationale: ↳ Port 22 is reserved for SSH access. SSH should not typically be used within containers. - Remediation: ↳ Ensure that non-SSH services are not using port 22. Ensure that any actual SSH servers have been vetted. - Violations: - Port '22' matched 22 - Protocol 'TCP' matched tcp
This demonstrates how the StackRox Kubernetes Security Platform finds deployment configuration errors and security policy violations early in the development process—before any deployment is created in a Kubernetes cluster.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.