Deploy-time policies

Prevent the deployment of applications that violate workflow, configuration, or security best practices.

You can use the StackRox Kubernetes Security Platform to make sure that only trusted workloads are deployed to your clusters. The StackRox Kubernetes Security Platform includes multiple built-in policies that you can enforce during the Deploy stage. These policies act as preventive security controls for your clusters.

Go through the following evaluation scenarios to learn how to identify potential security risks in images during deploy-time and act to protect your environment.

1. Block deployments that use privileged containers

Privileged containers have full access to the underlying host, and you should only use them in exceptional cases. You can configure the StackRox Kubernetes Security Platform to detect and reject violations of the principle of least privilege, including the use of privileged mode or additional Linux capabilities.

If you have enabled admission controller enforcement, the StackRox Kubernetes Security Platform instructs the cluster’s API server to reject the deployment. Otherwise, the StackRox Kubernetes Security Platform instructs the cluster to scale the noncompliant deployment to zero replicas.

  1. Navigate to Platform Configuration > System Policies.
  2. In the Policies view, enter Privileged Container in the filter box and press Enter.
  3. Select the Privileged Container policy.
  4. The Privileged Container is enabled by default, review the policy attributes.
  5. Select Next in the panel header to review the policy.
  6. Select Next again to review the enforcement options.
  7. Select On for Deploy enforcement behavior.
  8. Select Save.

After you enable this policy, the StackRox Kubernetes Security Platform checks the use of the privileged security option in all new deployments.

To check if this policy is working,

  1. Download the sample deployment specification file: deployment-spec-new-deployment.yaml.
  2. To see if this policy is working, use the deployment-spec-new-deployment.yaml file to create a new deployment.
    Copy
    kubectl apply -f deployment-spec-new-deployment.yaml

When you run this command:

  • if you are using admission controller enforcement, the StackRox Kubernetes Security Platform instructs the Kubernetes API server to reject the deployment. The output lists the failure code and policy violation details.

    Copy
    Error from server (Failed currently enforced policies from StackRox): error when creating "STDIN": admission webhook "policyeval.stackrox.io" denied the request:
    Policy: Violated 1 policies total. 1 enforced policy is described below:
    In case of emergency, add the annotation {"admission.stackrox.io/break-glass": "ticket-1234"} to your deployment with an updated ticket number
    
    Privileged Container
    - Description:
        ↳ Alert on deployments with containers running in privileged mode
    - Rationale:
        ↳ Containers running as privileged represent greater post-exploitation risk by
          allowing an attacker to access all host devices, run a daemon in the container,
          etc.
    - Remediation:
        ↳ Verify that privileged capabilities are required and cannot be provided with a
          subset of other controls.
    - Violations:
        - Privileged container found
  • if you aren’t using admission controller, the StackRox Kubernetes Security Platform enforces the policy and instructs the cluster to scale the noncompliant deployment to zero replicas.

    Copy
    26s    Normal    ScalingReplicaSet      Deployment   Scaled up replica set ubuntu-5abd4375b8 to 1
    25s    Warning   StackRox enforcement   Deployment   Deployment violated StackRox policy "Privileged Container" and was scaled down
    25s    Normal    ScalingReplicaSet      Deployment   Scaled down replica set ubuntu-5abd4375b8 to 0

2. Block deployments that misuse environment variables

Consider a microservice which connects to a database by using a username and a password or an API token. For such cases, the password (or token) should be kept private. However, sometimes, similar sensitive data is stored in clear text in Kubernetes deployment YAML files.

The StackRox Kubernetes Security Platform can prevent the deployment of applications that mishandle such sensitive data like account keys, certificates, or passwords. Use the Secrets view to get information about the secrets in your environment, know if they’re in use, and check if they follow established policies.

Before you continue, you must configure authentication and the environment variables for roxctl command-line client. See the Authentication and Common operations sections in Use the roxctl CLI topic.

The following example demonstrates how the StackRox Kubernetes Security Platform prevents this misuse and encourages developers to use proper secrets management practices.

Start by configuring the Environment Variable Contains Secret policy.

  1. Navigate to Platform Configuration > System Policies.
  2. In the Policies view, enter Environment Variable Contains Secret in the filter box and press Enter.
  3. Select the Environment Variable Contains Secret policy.
  4. The Environment Variable Contains Secret is enabled by default, review the policy attributes.
  5. Select Next in the panel header to review the policy.
  6. Select Next again to review the enforcement options.
  7. Select On for Deploy enforcement behavior.
  8. Select Save.

To check if this policy is working,

  1. Download the sample deployment specification file: deployment-spec-with-secret.yaml. This file includes a secret access key in plaintext:
    Copy
          containers: 
          - name: ubuntu
            image: ubuntu:18.04
            env:
                - name: AWS_SECRET_ACCESS_KEY
                  value: "abcdefg"
  2. Use the roxctl command-line client to check this YAML configuration file before creating a deployment in Kubernetes. Run to following command to check YAML configuration:
    Copy
    ./roxctl -e "$ROX_CENTRAL_ADDRESS" deployment check --file ./deployment-spec-with-secret.yaml

The StackRox Kubernetes Security Platform checks the deployment configuration file and displays the following output:

Copy
✗ Deployment ubuntu failed policy 'Environment Variable Contains Secret'
- Description:
    ↳ Alert on deployments with environment variables that contain 'SECRET'
- Rationale:
    ↳ Using secrets in environment variables may allow inspection into your secrets
      from the host or even through the orchestrator UI.
- Remediation:
    ↳ Migrate your secrets from environment variables to orchestrator secrets or your
      security team's secret management solution.
- Violations:
    - Container Environment (key='AWS_SECRET_ACCESS_KEY', value='abcdefg') matched environment policy (key = '.*SECRET.*|.*PASSWORD.*')

If you are using admission controller enforcement the StackRox Kubernetes Security Platform checks and blocks new deployments if they match with the Environment Variable Contains Secret policy, similar to the previous example 1. Block deployments that use privileged containers.

3. Block deployment for images that aren’t scanned

The StackRox Kubernetes Security Platform can block the deployment of container images that haven’t been scanned for vulnerabilities, either by the StackRox Scanner or by a third-party vulnerability scanner. Enforcing the use of vulnerability scanning is an important part of general security practices and in industry and regulatory standards like NIST SP 800-190, PCI-DSS, and HIPAA.

  • See the Examine images section to learn more about discovering images running in your environment and determine if they’re at risk.
  • See the Manage compliance section to understand how to run automated checks and validate compliance based on industry standards.
  • Before you begin, you must configure at least one vulnerability scanner and registry integration, otherwise this policy blocks all deployments. See the Integrate with image registries and Integrate with vulnerability scanners topics for more details.
  • Enforcing this policy blocks deployments that use images for which Central can’t retrieve image scan results.
  1. Navigate to Configure > System Policies.
  2. In the Policies view, enter Images with no scans in the filter box and press Enter.
  3. Select the Images with no scans policy.
  4. In the policy information panel header, select Edit.
  5. Turn on the Enable Policy toggle and review other policy attributes.
  6. Select Next in the panel header to review the policy.
  7. Select Next again to review the enforcement options.
  8. Select On for Deploy enforcement behavior.
  9. Select Save.

After you enable this policy, try to deploy an image with no scan results. For example, run the following command to deploy an image:

Copy
kubectl run --generator=run-pod/v1 heapster --image=gke.gcr.io/heapster:v1.7.0	

When you run this command:

  • if you are using admission controller enforcement, the StackRox Kubernetes Security Platform instructs the Kubernetes API server to reject the deployment. The output lists the failure code and policy violation details.

    Copy
    Error from server (Failed currently enforced policies from StackRox): admission webhook "policyeval.stackrox.io" denied the request:	
    Policy: Violated 1 policies total. 1 enforced policy is described below:	
    In case of emergency, add the annotation {"admission.stackrox.io/break-glass": "ticket-1234"} to your deployment with an updated ticket number	
    
    Images with no scans	
    - Description:	
        ↳ Alert on deployments with images that have not been scanned	
    - Rationale:	
        ↳ Without a scan, there will be no vulnerability information for this image	
    - Remediation:	
        ↳ Configure the appropriate registry and scanner integrations so that StackRox can	
          obtain scans for your images.	
    - Violations:	
        - Image has not been scanned
  • if you aren’t using admission controller, the StackRox Kubernetes Security Platform enforces the policy and instructs the cluster to scale the noncompliant deployment to zero replicas.

    Copy
    26s    Normal    ScalingReplicaSet      Deployment   Scaled up replica set heapster-5bdbf595b8 to 1	
    25s    Warning   StackRox enforcement   Deployment   Deployment violated StackRox policy "Images with no scans" and was scaled down	
    25s    Normal    ScalingReplicaSet      Deployment   Scaled down replica set heapster-5bdbf595b8 to 0

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.