This page lists the details on how to install the opa-mgmt or deployment firewall for the kubernetes deployments. To know in detail about OPA, refer OPA overview. Refer OPA Installation for the steps on how to install OPA.
Follow the steps given below to configure OPA in the target environment.
Extracting the Kubernetes Detector Secret
Kubernetes Detector can be installed in two different ways.
Kubernetes detectors can be installed in the target cluster if the user downloads and installs the in-cluster file from the SSD.
Kubernetes detectors can be installed where the SSD is hosted if the user downloads and installs the remote file from the SSD.
Use the below command to get the secret value.
kubectl -n <namespace> get secret kubedetector -o yaml
token: eyJhbGciOiJSUzI1NiIsddddddddddddddJiODEtNDcyMy04MzM4LWIxMGVkOWQ1NGE2ZCIsInR5cCI6IkpXVCJ9.eyJptttttttttttttzc2Qub3BzbXguaW8iXSwiZXhwIjoxNzUsssssaaaaaaaaaaaaaaaJ0eXBlIjoic2VydmljZS1hY2NvdW50L3YxIiwib3JnSUQisssssssssssiwiaW5zdGFuY2UiOiIwNDU2NGVmNC1lY2U5LTQ2Y2ItOdddddddddddddGE4ZTgxOTllYjIifX0.UFY3E5It5Z9Bvx0SefffffffffffffffffffIuasXOWBTBRlX4ST-vjvu4rtYTtYtM_WtVq1q5nFHM3RFPOYqt4P5BMuvlWI5ddddddd4sSOBIwwmpVvBmRrWEdhFuT9mJYFxhT13MKkD27S95G4xxxxxxxxxxxxxwEDa4IpdYCtl573SQP2XwzxrfLGL9XcVFTTwemLLQNyEx0eJUcj7BigKS2zWdj5wOyUUMqoRcyHQwkuovuNQE9bWpfHuGzLYxyOLcC9eDiqYaWqRaLE1VsnyZ-c4q9PiMV82R6Y9q5X5CxYJ-EHY-1LFw
namespacesToAllow: #edit this to scan multiple namespaces
- default
Copy only the token value and store in any of the text editor.
Creation of Namespace:
Create namespace using the command given below:
kubectl create ns ssd-firewall
Installation :
Clone the below repo
git clone https://github.com/opsmx/kube-mgmt.git
Cd to the charts
cd kube-mgmt/charts
Create a new file called custom-values.yaml file and copy the below content and paste it in it.
# Update the SSD URL
ssdurl: <SSD.URL.COM>
## Update the Kubernetes Detector Secret Value
kubedetectorsecretvalue: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlssssddddxxxxxhIiwiaWF0IjoxNTE2MjM5MDIyfQ.-eaE5t4l6DQHh4NQK4S_DBlMGd9h3ksvZXv6ObG1otE
In the above file, update the SSD URL and Kubernetes Detector Secret Token Value. Do not change file name.
Once the installation is done, run the below commands to update the namespace labels.
kubectl label ns <Update the target cluster namespace to be used for deploying the pods> opsmx-ssd.com/webhook=ignore
Once the above annotation is added the opa-mgmt, allow or deny the pods deploying into the target cluster of that particular namespace.
The namespace name which end user is deploying the pods need to be present in the kubernetes-detector secret under the namespacesToAllow.
In the UI, navigate to the Policies -> Stage -> Artifact.
Select Critical Vulnerability Prevention Policy. In Actions column, change the action to Prevent from Alert so that it will prevents the Vulnerabilities which are critical.
Click Save Changes.
In the next run, if you try to deploy any pods to the target namespace then deployment firewall blocks those pods if there are any prevent policy failures.
