Aqua CSP version => 5.0,
KubeEnforcer version =>5.0, Kubernetes.
It is assumed that KubeEnforcer has already been deployed   and it is running in the cluster/s.
Depending on your use case it is expected that either the Enforcer/s or the KubeEnforcer be running in the cluster/s at any given time. Having both components deployed is possible but not necessary, somewhat redundant which at the moment adds little benefits.
In this KB article it will be explained how to quickly configure KubeEnforcer to globally enforce the non-compliant and non-registered RunTime policies against any images and their derivate containers.
- KubeEnforcer settings can all be configured via editing the relevant group or for each of the KubeEnforcer present in the same group in a multi cluster environment.
In either case make sure that:
a. Enforce is selected
b. Admission control is enabled
c. Auto Discovery Configuration. In this example the below image shows that Auto-scan is disabled.
- Create a new container RunTime policy.
a. The compatible and supported scopes for the KubeEnforcer are:
b. The supported controls are:
Block Non-compliant Images
Block Unregistered Images
c. Set the Enforcement Mode to Enforce
- TRY TO RUN A NON-COMPLIANT IMAGE
aqua@aqua-test:~$ kubectl run tomcat-pod --image=tomcat:latest -n berlin Error from server: admission webhook "imageassurance.aquasec.com" denied the request: [Aqua Security] Image is marked as non-compliant.
- TRY TO RUN A NON-REGISTERED IMAGE
aqua@aqua-test:~$ kubectl run redis-pod --image=redis:latest -n berlin Error from server: admission webhook "imageassurance.aquasec.com" denied the request: [Aqua Security] Image is unregistered with Aqua server.
Did you find it helpful?Send feedback