If you use a strict policy for the Security scan integrated service, it can happen that you must permit the use of images that do not meet the requirements of the policy. For example, you use the BlockRoot policy, but need to permit the admission of an image even though it uses root privileges.
In Banzai Cloud Pipeline (Pipeline) you can whitelist specific Helm deployments using custom Kubernetes resource definitions (CRDs). The Security scan admission hook will accept deployments that match any of the whitelist elements, regardless of its scan result.
Prerequisites 🔗︎
- All resources included in a Helm Deployment must have the release-name label. If that’s missing, Pipeline automatically generates one from the name of the related ReplicaSet.
- You must have the
kubectl
command-line tool installed. Managing whitelists is currently not possible on the web interface.
Whitelist a Helm deployment 🔗︎
To whitelist a Helm deployment, complete the following steps.
-
Create a Custom Resource Definition (CRD). The CRD must include the following fields:
kind: WhiteListItem
Name:
The name of the whitelisted release.creator:
The Pipeline user who created the rule, so you can track who made an exception to the security policy for this release.reason:
The reason or justification for whitelisting this release.
For example:
apiVersion: security.banzaicloud.com/v1alpha1 kind: WhiteListItem metadata: name: <name of helm release> spec: reason: <whitelisting reason> creator: <creator> [regexp:] <optional>
-
Apply the CRD to your cluster. For example:
$ banzai cluster shell --cluster-name=image-scan -- kubectl apply -f - << EOF apiVersion: security.banzaicloud.com/v1alpha1 kind: WhiteListItem metadata: name: busybox1 spec: reason: testing creator: pbalogh-sa EOF
Get list of whitelisted deployments 🔗︎
To get the list of currently whitelisted deployments, run the kubectl get whitelistitems
command. To display who has whitelisted them and why, run the following command.
$ kubectl get whitelistitems -o wide -o=custom-columns=NAME:.metadata.name,CREATOR:.spec.creator,REASON:.spec.reason
NAME CREATOR REASON
my-whitelisted-release alex-the-administrator just-testing
my-whitelisted-release2 alex-the-administrator just-testing
To display the details of a specific whitelisted release, run the following command.
kubectl get whitelistitem my-whitelisted-release -o yaml
Expected output:
apiVersion: security.banzaicloud.com/v1alpha1
kind: WhiteListItem
metadata:
clusterName: ""
creationTimestamp: 2018-09-25T06:44:49Z
name: my-whitelisted-release
namespace: ""
resourceVersion: "1981225"
selfLink: /apis/security.banzaicloud.com/v1alpha1/my-whitelisted-release
uid: 7f9a094d-c08e-11e8-b34e-42010a8e010f
spec:
creator: alex-the-administrator
reason: just-testing