Environment


Aqua CSP version => 5.0, 

KubeEnforcer version =>5.0, Kubernetes.
It is assumed that KubeEnforcer has already been deployed [1] [2] and it is running in the cluster/s.


Depending on your use case it is expected that either the Enforcer/s or the KubeEnforcer be running in the cluster/s at any given time.
Having both components deployed is possible but not necessary, somewhat redundant which at the moment adds little benefits.


Deployment Task


In this KB article it will be explained how to quickly configure KubeEnforcer to globally enforce the non-compliant and non-registered RunTime policies against any images and their derivate containers.


Deployment Steps


  1. KubeEnforcer settings can all be configured via editing the relevant group or for each of the KubeEnforcer present in the same group in a multi cluster environment.

    In either case make sure that:

    a. Enforce is selected
    b. Admission control is enabled
    c. Auto Discovery Configuration. In this example the below image shows that Auto-scan is disabled.

  2. Create a new container RunTime policy.
    a. The compatible and supported scopes for the KubeEnforcer are:
    image.name
    image.repo
    container.image
    b. The supported controls are:
    Block Non-compliant Images
    Block Unregistered Images
    c. Set the Enforcement Mode to Enforce


  3. TRY TO RUN A NON-COMPLIANT IMAGE

    aqua@aqua-test:~$ kubectl run tomcat-pod --image=tomcat:latest -n berlin
    Error from server: admission webhook "imageassurance.aquasec.com" denied the request: [Aqua Security] Image is marked as non-compliant.

  4. TRY TO RUN A NON-REGISTERED IMAGE

    aqua@aqua-test:~$ kubectl run redis-pod --image=redis:latest -n berlin
    Error from server: admission webhook "imageassurance.aquasec.com" denied the request: [Aqua Security] Image is unregistered with Aqua server.


Related information


[1] https://docs.aquasec.com/docs/deploy-the-kubeenforcer

[2] https://docs.aquasec.com/docs/aquactl-deploy-kubeenforcer