Admission Control

An admission controller is a piece of code that intercepts requests to the Kubernetes API server after the request is authenticated and authorized but before it becomes persistent. If requested, the entire request is rejected immediately, and an error is returned to the end-user.

CloudGuard admission control utilizes a validating admission webhook to enforce the users' policies in the CloudGuard portal or via the CloudGuard APIs.

Instructions

Step

Instructions

1

Navigate to the Admission Control > Rulesets section in the Workload Protection tab.

2

On the top right cornet , Click Add Ruleset.

3

Enter the following Name: Chain of Trust and click Create.

4

Click on + New Use Case.

5

Select the following Use Case:

Chain of Trust Protection – Images must be deployed from a pre-defined list of registries.

6

Click on Free text and paste the following:

KubernetesPod should have spec.containers contain-all [ image like 'quay.io/checkpoint/%' ]

Click Done.

7

  1. Enter the following Title: Chain of Trust Protection – Images must be deployed from a pre-defined list of registries

  2. Click Save.

8

Navigate to the Admission Control > Policies section.

Click on Add policy and choose Environment Policy and apply the new ruleset to your cluster.

9

Choose the Chain of Trust and click NEXT.

10

Choose Prevention Mode and click NEXT.

11

Choose Logic-Default-Console-Notification, which will send the alerts to the console, and click SAVE.

Note - It can take up to 2 minutes for the policy to take effect.

12

Execute the following command in the SSH window on the Kubernetes Server to test your prevention rule:

kubectl create deployment nginx --image=nginx

You will see the following error message in the SSH window :

root@k8s-cluster:~# kubectl create deployment nginx --image=nginx

Error from server: admission webhook "cloudguard-enforcer-webhook.cloudguard.checkpoint.com" denied the request: [CloudGuard] The request has been blocked according to the GSL rule: 'Chain of Trust Protection – Images must be deployed from a pre-defined list of registries'

13

Navigate to the Threat & Security Events section in the Events tab and review the alert that was created: