Enable Deployment Firewall in Target Clusters

This is an optional step.

This page lists the details on how to install the opa-mgmt or deployment firewall for the kubernetes deployments. To know in detail about OPA, refer OPA overview. Refer OPA Installation for the steps on how to install OPA.

Follow the steps given below to configure OPA in the target environment.

Extracting the Kubernetes Detector Secret

Kubernetes Detector can be installed in two different ways.

  • Kubernetes detectors can be installed in the target cluster if the user downloads and installs the in-cluster file from the SSD.

  • Kubernetes detectors can be installed where the SSD is hosted if the user downloads and installs the remote file from the SSD.

  1. Use the below command to get the secret value.

kubectl -n <namespace> get secret kubedetector -o yaml

An example of secret value is shown below:

sai@opsmx-hyd-l-194:~$ kubectl -n <namespace> get secrets kubedetector -o yaml
apiVersion: v1
data:
  config.yaml: dG9rZW46IGV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJbUZrWldZM016RXpMVEppT0RFdE5EY3lNeTA0TXpNNExXSXhNR1ZrT1dRMU5HRTJaQ0lzSW5SNWNDSTZJa3BYVkNKOS5leUpwYzNNaU9pSlBjSE5OZUNJc0ltRjFaQ0ssssssssssddddddddddddxzzzzzzzzzzWpvaWMyVnlkbWxqWlMxaFkyTnZkVzUwTDNZeElpd2liM0puU1VRaU9pSmpNR0ZqTW1Fd1ppMW1OelJpTFRSa04yWXRPRGhpWkMxa05USTFPV1pqWkRBNU1UTWlMQ0p6WlhKMmFXTmxJam9pWlhoMFpYSnVZV3d0YzJWeWRtbGpaUzFyZFdKbGNtNWxkR1Z6SWl3aWFXNXpkR0Z1WTJVaU9pSXdORsssssssssssddddddddddxxxxxxxwR0lvdGdvaWdLMlduSDYwMXg5eEl1YXNYT1dCVEJSbFg0U1Qtdmp2dTRydFlUdFl0TV9XdFZxMXE1bkZITTNSRlBPWXF0NFA1Qk11dmxXSTV5MW10bEJ3bWdDMGxwSWg0c1NPQkl3d21wVnZCbVJyV0VkaEZ1VDltSllGeGhUMTNNS2tEMjdTOTVHNGVFUktwWVlfdThZd1VnbDJNLVdJd0VEYTRJcGRZQ3RsNTczU1FQMlh3enhyZkxHTDlYY1ZGVFR3ZW1MTFFOeUV4MGVKVWNqN0JpZ0tTMnpXZGo1d095VVVNcW9SY3lIUXdrdW92dU5RRTliV3BmSHVHekxZeHlPTGNDOWVEaXFZYVdxUmFMRTFWc255Wi1jNHE5UGlNVjgyUjZZOXE1WDVDeFlKLUVIWS0xTEZ3Cm5hbWVzcGFjZXNUb0FsbG93OiAjZWRpdCB0aGlzIHRvIHNjYW4gbXVsdGlwbGUgbmFtZXNwYWNlcwotIGRlZmF1bHQKLSBnaXRodWJhY3Rpb25zCi0gcWEtYXVnCg==
kind: Secret
metadata:
  name: kubedetector-oescluster
  namespace: exceptions
type: Opaque

  1. Use any tool to decode the value of config.yaml

echo <value of the config.yaml> | base64 -d

An example of decoded value is shown below:

token: eyJhbGciOiJSUzI1NiIsddddddddddddddJiODEtNDcyMy04MzM4LWIxMGVkOWQ1NGE2ZCIsInR5cCI6IkpXVCJ9.eyJptttttttttttttzc2Qub3BzbXguaW8iXSwiZXhwIjoxNzUsssssaaaaaaaaaaaaaaaJ0eXBlIjoic2VydmljZS1hY2NvdW50L3YxIiwib3JnSUQisssssssssssiwiaW5zdGFuY2UiOiIwNDU2NGVmNC1lY2U5LTQ2Y2ItOdddddddddddddGE4ZTgxOTllYjIifX0.UFY3E5It5Z9Bvx0SefffffffffffffffffffIuasXOWBTBRlX4ST-vjvu4rtYTtYtM_WtVq1q5nFHM3RFPOYqt4P5BMuvlWI5ddddddd4sSOBIwwmpVvBmRrWEdhFuT9mJYFxhT13MKkD27S95G4xxxxxxxxxxxxxwEDa4IpdYCtl573SQP2XwzxrfLGL9XcVFTTwemLLQNyEx0eJUcj7BigKS2zWdj5wOyUUMqoRcyHQwkuovuNQE9bWpfHuGzLYxyOLcC9eDiqYaWqRaLE1VsnyZ-c4q9PiMV82R6Y9q5X5CxYJ-EHY-1LFw
namespacesToAllow: #edit this to scan multiple namespaces
- default

  1. Copy only the token value and store in any of the text editor.

Creation of Namespace:

Create namespace using the command given below:

kubectl create ns ssd-firewall

Installation :

  1. Clone the below repo

git clone https://github.com/opsmx/kube-mgmt.git

  1. Cd to the charts

cd kube-mgmt/charts

  1. Create a new file called custom-values.yaml file and copy the below content and paste it in it.

# Update the SSD URL
ssdurl: <SSD.URL.COM>

## Update the Kubernetes Detector Secret Value
kubedetectorsecretvalue: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlssssddddxxxxxhIiwiaWF0IjoxNTE2MjM5MDIyfQ.-eaE5t4l6DQHh4NQK4S_DBlMGd9h3ksvZXv6ObG1otE

In the above file, update the SSD URL and Kubernetes Detector Secret Token Value. Do not change file name.

  1. Once the installation is done, run the below commands to update the namespace labels.

kubectl label ns <Update the target cluster namespace to be used for deploying the pods> opsmx-ssd.com/webhook=ignore

Once the above annotation is added the opa-mgmt, allow or deny the pods deploying into the target cluster of that particular namespace. The namespace name which end user is deploying the pods need to be present in the kubernetes-detector secret under the namespacesToAllow.

  1. In the UI, navigate to the Policies -> Stage -> Artifact.

  2. Select Critical Vulnerability Prevention Policy. In Actions column, change the action to Prevent from Alert so that it will prevents the Vulnerabilities which are critical.

  3. Click Save Changes.

In the next run, if you try to deploy any pods to the target namespace then deployment firewall blocks those pods if there are any prevent policy failures.

PreviousIntegrating Kube DetectorNextIntegrating CI and CD tools in Delivery Shield

Last updated