If you use a strict policy for the Security scan integrated service, it can happen that you must permit the use of images that do not meet the requirements of the policy. For example, you use the BlockRoot policy, but need to permit the admission of an image even though it uses root privileges.

In Banzai Cloud Pipeline (Pipeline) you can whitelist specific Helm deployments using custom Kubernetes resource definitions (CRDs). The Security scan admission hook will accept deployments that match any of the whitelist elements, regardless of its scan result.

Prerequisites 🔗︎

  • All resources included in a Helm Deployment must have the release-name label. If that's missing, Pipeline automatically generates one from the name of the related ReplicaSet.
  • You must have the kubectl command-line tool installed. Managing whitelists is currently not possible on the web interface.

Whitelist a Helm deployment 🔗︎

To whitelist a Helm deployment, complete the following steps.

  1. Create a Custom Resource Definition (CRD). The CRD must include the following fields:

    • kind: WhiteListItem
    • Name: The name of the whitelisted release.
    • creator: The Pipeline user who created the rule, so you can track who made an exception to the security policy for this release.
    • reason: The reason or justification for whitelisting this release.

    For example:

    apiVersion: security.banzaicloud.com/v1alpha1
    kind:  WhiteListItem
    metadata:
      name: <name of helm release>
    spec:
      reason: <whitelisting reason>
      creator: <creator>
      [regexp:] <optional>
    
  2. Apply the CRD to your cluster. For example:

    $ banzai cluster shell --cluster-name=image-scan -- kubectl apply -f - << EOF
    apiVersion: security.banzaicloud.com/v1alpha1
    kind:  WhiteListItem
    metadata:
      name: busybox1
    spec:
      reason: testing
      creator: pbalogh-sa
    EOF
    

Get list of whitelisted deployments 🔗︎

To get the list of currently whitelisted deployments, run the kubectl get whitelistitems command. To display who has whitelisted them and why, run the following command.

$ kubectl get whitelistitems -o wide -o=custom-columns=NAME:.metadata.name,CREATOR:.spec.creator,REASON:.spec.reason
NAME              CREATOR      REASON
my-whitelisted-release   alex-the-administrator   just-testing
my-whitelisted-release2   alex-the-administrator   just-testing

To display the details of a specific whitelisted release, run the following command.

kubectl get whitelistitem my-whitelisted-release -o yaml

Expected output:

  apiVersion: security.banzaicloud.com/v1alpha1
  kind: WhiteListItem
  metadata:
    clusterName: ""
    creationTimestamp: 2018-09-25T06:44:49Z
    name: my-whitelisted-release
    namespace: ""
    resourceVersion: "1981225"
    selfLink: /apis/security.banzaicloud.com/v1alpha1/my-whitelisted-release
    uid: 7f9a094d-c08e-11e8-b34e-42010a8e010f
  spec:
    creator: alex-the-administrator
    reason: just-testing