Build-time policies

Identify and prevent malicious containers during build-time.

2 minute read

Explore how to use the StackRox Kubernetes Security Platform to identify potential security risks in images during build time and act to protect your environment.

You can use the StackRox Kubernetes Security Platform to identify potential security vulnerabilities and misconfigurations before you deploy your containers. It helps you to identify and correct security issues at build time, which is faster, more secure, and less expensive than fixing them during later phases of the container lifecycle.

In a typical continuous integration and deployment (CI/CD) pipeline, application container images use a Linux base image that contains several common components and dependencies, along with your development build products. These additional components and dependencies may suffer from a variety of vulnerabilities, and if left unaddressed, they become a part of your runtime container environment.

You can use the StackRox Kubernetes Security Platform policies during build time in your CI/CD pipeline to identify and control security risks in images before they run as a container. You can configure build-time policies by using the roxctl command-line tool. For more information, see Use the CLI.

Go through the following evaluation scenarios to learn how to apply and use build-time policies.

1. Identify vulnerabilities in images

This example demonstrates how the StackRox Kubernetes Security Platform build-time policies can fail a build process as soon as a severe vulnerability is identified in an image.

Configure build-time policy enforcement

  1. Navigate to Platform Configuration > System Policies.
  2. In the Policies view, enter Fixable in the filter box and press Enter.
  3. For the Fixable CVSS >= 7 policy, note that the Lifecycle column lists both Build and Deploy. This means that the StackRox Kubernetes Security Platform detects the presence of this vulnerability in images at both stages.
  4. Select Fixable CVSS >= 7.
  5. Review policy attributes and note the Rationale and Remediation fields.
  6. In the policy information panel header, select Edit.
  7. Select Next in the panel header to review the policy effects on running deployments.
  8. Select Next again to review the enforcement options.
  9. Select On for both build and deploy enforcement behavior.
  10. Select Save.

After you enable this policy, you can use roxctl to check any image which violates this policy.

Before you proceed, you must:

  1. Generate an access token.
  2. Export the following variables:
    Copy
    export ROX_API_TOKEN=<api-token>
    export ROX_CENTRAL_ADDRESS=<address>:<port-number>
Copy
roxctl -e $ROX_CENTRAL_ADDRESS image check --image docker.io/vulnerables/cve-2017-7494

When roxctl runs an image check, it requests Central to perform the check, evaluate policy, and return the result. The result includes all policy violations, policy rationale, and available remediation steps. Policy failure is indicated by the process exit code, which is non-zero if the image violates any policy marked for build-phase enforcement and zero otherwise.

You can incorporate roxctl into a CI/CD build pipeline, and configure your CI system to stop building if roxctl returns a non-zero exit code. The StackRox Kubernetes Security Platform also includes a native Jenkins plugin.

2. Check if deployment uses privileged port

This example showcases the StackRox Kubernetes Security Platform’s visibility and control over Kubernetes deployment attributes at build time, before an application is deployed, and how the StackRox Kubernetes Security Platform shortens the time to discover and correct workflow and configuration errors.

  1. Consider the following deployment.yaml file.

    Copy
    apiVersion: v1
    kind: Service
    metadata:
      name: ubuntu-lb
      labels:
        app: ubuntu
    spec:
      ports:
        - port: 22
      selector:
        app: ubuntu
      type: LoadBalancer
    ---
    apiVersion: apps/v1 
    kind: Deployment
    metadata:
      name: ubuntu
      labels:
        app: ubuntu
    spec:
      selector:
        matchLabels:
          app: ubuntu
      template:
        metadata:
          labels:
            app: ubuntu
        spec:
          containers: 
          - name: ubuntu
            image: ubuntu:18.04
            ports:
            - containerPort: 22

    This file declares an example deployment from a public image, and attempts to expose the service on that deployment on TCP port 22, typically reserved for SSH.

  2. Use roxctl to check this deployment, by using the --file option.

    Copy
    roxctl -e $ROX_CENTRAL_ADDRESS deployment check --file deployment.yaml
  3. The output lists the failure code and policy violation details.

    Copy
    ✗ Deployment ubuntu failed policy 'Secure Shell (ssh) Port Exposed'
    - Description:
        ↳ Alert on deployments exposing port 22, commonly reserved for SSH access.
    - Rationale:
        ↳ Port 22 is reserved for SSH access. SSH should not typically be used within
          containers.
    - Remediation:
        ↳ Ensure that non-SSH services are not using port 22. Ensure that any actual SSH
          servers have been vetted.
    - Violations:
        - Port '22' matched 22
        - Protocol 'TCP' matched tcp

This demonstrates how the StackRox Kubernetes Security Platform finds deployment configuration errors and security policy violations early in the development process—before any deployment is created in a Kubernetes cluster.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.