Use the examples in this section to understand how run-time policies meet requirements for threat detection and prevention and incident investigation and response.
Package managers install or modify the installed software on a Linux host. Using
a package manager such as
apk (Alpine), or
yum (RedHat) to
modify a running container violates the immutable principle of containers.
You can use the StackRox Kubernetes Security Platform policies to detect and eliminate such run-time violations. These policies use kernel instrumentation to detect running processes and instruct Kubernetes to terminate the pod for enforcement. Replacing the affected pod keeps attackers from gaining a foothold in your environment while making sure Kubernetes accurately reflects the state of your applications.
Using Kubernetes to enforce run-time policy is preferable to enforcing rules directly within containers or in the container engine because it avoids the disconnect between the state that Kubernetes is maintaining and the state in which the container is operating. Since a run-time policy may detect only part of an attacker’s activity inside a container, removing the container eliminates the attack itself.
- Navigate to Platform Configuration > System Policies.
- In the Policies view, enter Ubuntu in the filter box and press Enter.
- Select the Ubuntu Package Manager Execution policy.
- In the policy information panel header, select Edit.
- Turn on the Enable Policy toggle and review other policy attributes.
- Select Next in the panel header to review the policy.
- Select Next again to review the enforcement options.
- Select On for runtime enforcement behavior.
- Select Save.
To test the policy, run the following commands:
Start a container with package manager:
kubectl run tmp-shell --labels="app=tmp-shell" --rm -i --tty --image ubuntu:18.04 -- /bin/bash
After the container starts and you get a running shell, try to run the package manager:
root@tmp-shell-65c98c7766-66fpw:/# apt update
When you run this command, the StackRox Kubernetes Security Platform evaluates the run-time policy and terminates the container.
You get the following error:
root@tmp-shell-65c98c7766-vf8wv:/# Session ended, resume using 'kubectl attach tmp-shell-65c98c7766-vf8wv -c tmp-shell -i -t' command when the pod is running deployment.apps "tmp-shell" deleted
While the container is terminating, you can check its details by using the following command:
kubectl describe pod -l app=tmp-shell Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 88s default-scheduler Successfully assigned default/tmp-shell-7b59d58854-kvkd7 to gke-cluster1-default-pool-13528726-ml91 Normal Pulled 87s kubelet, gke-cluster1-default-pool-13528726-ml91 Container image "ubuntu:18.04" already present on machine Normal Created 87s kubelet, gke-cluster1-default-pool-13528726-ml91 Created container Normal Started 87s kubelet, gke-cluster1-default-pool-13528726-ml91 Started container Normal Killing 2s kubelet, gke-cluster1-default-pool-13528726-ml91 Killing container with id docker://tmp-shell:Need to kill Pod
To view violation details in the StackRox Portal:
- Select Violations from the left-hand navigation menu.
- Enter tmp-shell in the filter box and press Enter.
- Select the tmp-shell violation.
- Review violation details in the information panel.
If you have integrated StackRox with other tools such as PagerDuty, Jira, Splunk, or generic webhook, the StackRox Kubernetes Security Platform also sends these violation alerts to them. You can also access them by using the API.
After you address this violation, you can remove it from the violation list by marking it as resolved. To do this:
- Move your mouse over to the violation row and select the checkmark icon in the pop-up actions.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.