If you use a strict policy for the Security scan integrated service, it can happen that you must permit the use of images that do not meet the requirements of the policy. For example, you use the BlockRoot policy, but need to permit the admission of an image even though it uses root privileges.
In Banzai Cloud Pipeline (Pipeline) you can whitelist specific Helm deployments using custom Kubernetes resource definitions (CRDs). The Security scan admission hook will accept deployments that match any of the whitelist elements, regardless of its scan result.
- All resources included in a Helm Deployment must have the release-name label. If that’s missing, Pipeline automatically generates one from the name of the related ReplicaSet.
- You must have the
kubectlcommand-line tool installed. Managing whitelists is currently not possible on the web interface.
Whitelist a Helm deployment 🔗︎
To whitelist a Helm deployment, complete the following steps.
Create a Custom Resource Definition (CRD). The CRD must include the following fields:
Name:The name of the whitelisted release.
creator:The Pipeline user who created the rule, so you can track who made an exception to the security policy for this release.
reason:The reason or justification for whitelisting this release.
apiVersion: security.banzaicloud.com/v1alpha1 kind: WhiteListItem metadata: name: <name of helm release> spec: reason: <whitelisting reason> creator: <creator> [regexp:] <optional>
Apply the CRD to your cluster. For example:
$ banzai cluster shell --cluster-name=image-scan -- kubectl apply -f - << EOF apiVersion: security.banzaicloud.com/v1alpha1 kind: WhiteListItem metadata: name: busybox1 spec: reason: testing creator: pbalogh-sa EOF
Get list of whitelisted deployments 🔗︎
To get the list of currently whitelisted deployments, run the
kubectl get whitelistitems command. To display who has whitelisted them and why, run the following command.
$ kubectl get whitelistitems -o wide -o=custom-columns=NAME:.metadata.name,CREATOR:.spec.creator,REASON:.spec.reason NAME CREATOR REASON my-whitelisted-release alex-the-administrator just-testing my-whitelisted-release2 alex-the-administrator just-testing
To display the details of a specific whitelisted release, run the following command.
kubectl get whitelistitem my-whitelisted-release -o yaml
apiVersion: security.banzaicloud.com/v1alpha1 kind: WhiteListItem metadata: clusterName: "" creationTimestamp: 2018-09-25T06:44:49Z name: my-whitelisted-release namespace: "" resourceVersion: "1981225" selfLink: /apis/security.banzaicloud.com/v1alpha1/my-whitelisted-release uid: 7f9a094d-c08e-11e8-b34e-42010a8e010f spec: creator: alex-the-administrator reason: just-testing