Deploy Kubernetes Admission Control Programmatically with Trend Micro Cloud One Container Security, Terraform Cloud, and Azure DevOps
Howdy Howdy! Well, a couple weeks ago, I wrote an article about experimenting and deploying Trend Micro backed container image scanning capabilities. This was done programmatically into an Azure Kubernetes Services cluster with Trend Micro Deep Security Smart Check, Azure DevOps, and Terraform Cloud all working together.
That article is referenceable here below, and as a bonus there will be a little of a refresher of the scanner experiments in this article as well.
https://www.dhirubhai.net/pulse/programmatically-deploy-aks-trend-micro-deep-security-chuck-losh/
So, let's get started!
There is a new component of Trend Micro Cloud One Container Security that I would like to show you how to deploy programmatically as well! This is the Trend Micro Cloud One Container Security Admission Controller. This powerful component allows you to create security policies to make a "go / no go" determination for a container based deployment to that protected AKS cluster. For example, you might want to check if the container has been scanned by Trend Micro Deep Security Smart Check as a best practices precedent for your organization.
So, let me show you how you can quickly deploy the Trend Micro Cloud One Container Security Admission Controller component!
Programmatically of course!
So, currently I use Terraform Cloud and Azure DevOps Repos to hold my AKS configuration code, current state, and orchestrated deployments between clouds.
Utilizing the Terraform resource property "helm_release" I can update my AKS deployment with both the Trend Micro Deep Security Smart Check container image scanner, and the Trend Micro Cloud One Container Security Admission controller! All in one beautiful step!
These are a series of containers in the helm chart deployments that get launched inside your AKS cluster to provide that total protection. The referenced deployment(s) can be pulled from GitHub and activated with a set of API keys to register the deployment and establish communication to the Trend Micro Cloud One Container Security console. This is all shown below from my Terraform code experiment! Take a look! It took me a little bit to get it to experiment and work, but it works!
resource "helm_release" "smartcheck" {
name = "smartcheck"
chart = " https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz"
create_namespace = true
namespace = "deepsecurity-smartcheck"
set {
name = "auth.secretSeed"
value = "terraform"
}
set {
name = "auth.userName"
value = "Administrator"
}
set {
name = "auth.password"
value = "passwordexample"
}
set {
name = "cloudOne.apiKey"
value = "APIKEY"
}
}
resource "helm_release" "trendmicroadmission" {
name = "trendmicroadmission"
chart = "https://github.com/trendmicro/cloudone-container-security-helm/archive/master.tar.gz"
create_namespace = true
namespace = "trendmicro"
set {
name = "cloudOne.admissionController.apiKey"
value = "APIKEY"
}
}
Now, an important thing to ask and learn before executing the code is how do I get my hands on the referenced API Keys? Well, a good place to start is the Trend Micro Cloud One Container Security Console! You will want to start by choosing to add your cluster to the solution. You can do this by hitting the add button on the clusters menu option.
Name it (cluster) accordingly, add a description, and hit next. You don't need to worry about attaching an Admission Policy, we can do that later!
On the following screen, you should get the information that you need to run the helm deployment and set the associated Api-key for that cluster to unlock the feature set. That Api key will be used for communication, and operations for the container-based admission controller and the console.
You can take that information and use in Infrastructure as Code (IaaC) with Terraform where you can update, or create a brand new AKS cluster with the solutions baked in.
For today's example, I am going to deploy both helm charts with the image scanner and the admission controller.
Here I go! With a commit and push in Visual Studio Code tied to my Azure DevOps Repo, Terraform Cloud is listening in for that code to push to kick off an automatic plan and apply. Let's sit back, relax, and watch the fireworks!
Ok, cluster creation/update is now completed and my helm charts are deployed. I can take a peek inside my AKS cluster and see! Under namespaces you can see my deepsecurity-smartcheck and trendmicro deployments. Let's start with trendmicro namespace to verify that the admission controller has been deployed.
We can also check the workload and see that its is deployed and assigned to a worker-node and pod. We can see it listed there as "trendmicro-admission-controller".
We can also see our Terraform Job has completed successfully, and a new state file has been created.
Ok, so now let's do a couple of things on the Trend Micro Cloud One Container Security console. First, let's go ahead and get a trusty Admission Controller policy assigned. I said I was going to do that right?
This is shown below. You can create and edit a new policy setting and various characteristics of what determines if a container is blocked from entering the cluster. Best recommendation to start off is to set it to the "log" state. That way you can start getting activity on what Container Security would take action on if it was set loose on your cluster!
For example, you might not want containers that are not previously scanned by the Trend Micro Deep Security Smart Check container image scanner, or that contain malware!
Those are both good choices! Agreed?
You can then assign the policy to the cluster now that you have the Admission Controller deployed successfully.
You can see that you get stats regarding the last time that the Admission Controller has evaluated the AKS cluster with the current policy. That's good info to know!
Admission Events will get logged Admission Events pane. This is shown below for reference! You can see each action is tagged as logged. Not block or allow. However, Container Security will tell you what it "would" decide under the decision section.
Ok, let's take a look at our secondary deployment that happened in this new cluster example.
What's that you say?
Well, we also deployed the Trend Micro Deep Security Smart Check container image scanner. Two solutions in one! Yes!
We can see that in the Trend Micro Container Security console under the scanners section. We are getting scan data received if everything is working properly as well. Shown below as a reference!
How do I get said scan data? Well, I am glad you asked!
You can start getting scan data by adding a Container Registry to the scanner.
Above, I got my Trend Micro Deep Security Smart Check IP address and DNS names from the AKS cluster after the scanner was deployed from the helm chart as outputs in AKS. When I visit the address, I can go ahead and logon to the scanner solution. Those default creds were provided in my Terraform code as env variables. I will be prompted to change them upon first logon. Excellent!
Once I have changed my default creds, I can now proceed to add my registry. I will go ahead and add my Azure Container Registry. You can follow the directions in the connection details to go ahead and do that. Pretty easy to set up!
Once that (Container Registry) is successfully added to the scanner, I will kick off a scan to get some scan data on the images that reside in my registry.
You should see the images being scanned in the scanner.
Alrighty, very cool, so the last thing I am going to do is try and do a test deployment. I am going to try and push the latest version of Jenkins (jenkins/jenkins:latest) into my AKS cluster attempting to bypass the Trend Micro Deep Security SmartCheck container image scanner.
Ok, first thing that I am going to do to simulate that is go to my TerraformAzureDevOps policy that is bound to that Admission Controller and set it to "block" instead of "log". This should block all "unscanned images" from Trend Micro Deep Security Smart Check from being admitted to AKS!
Next, I am going to go ahead and go into AKS in the Azure Portal and add a new deployment.
Ok, you can see here that I am adding the deployment with YAML in the Azure Portal to deploy Jenkins inside the AKS cluster.
Wow! I get an immediate denial in the Azure Portal! The Admission Controller fires up and blocks the deployment. That is good and expected!
Let's check in the Trend Micro Cloud One Container Security console.
Yep, we see it there as well that it was blocked and denied because the image was not scanned! This is a cool feature to make sure images are scanned! Make sure you only allow images in your Azure Container Registry, and they have been scanned previously to be deployed.
Ok, so now I just so happened to push and tag the jenkins/jenkins:latest image into my blessed production registry, and scanned it via Trend Micro Deep Security Smart Check as a best practice prior to deployment.
Now, that the image has been scanned. It should allow me to deploy this image!
I adjust my deployment.yml to use the scanned tagged image in my Azure Container Registry!
Wow! now the image is allowed! That is expected! We can see below in the Azure Portal that I do not get the failure of the deployment as shown previously. We get a message that the deployment was successfully created.
We can also check in out the Admission Events in the Trend Micro Cloud One Container Security Console. Note: we now see the deployment is allowed!
Lastly, we can see the successful deployment running inside AKS!
Ok, very good!
Last but not least lets take out the trash and throw everything away with our testing and experiments today! We can do that with a Terraform destroy command inside Terraform Cloud! Sit back and watch the fireworks!
There we go! Everything back the way it was before we started experimenting and playing around! Ok, well I hope you enjoyed learning together with me today with these experiments! I enjoyed putting together this little lesson and trying out new things! Enjoy the rest of your week! Stay safe! We will see you next time!
References:
https://www.trendmicro.com/en_us/business/products/hybrid-cloud/cloud-one-container-image-security.html
https://www.terraform.io/docs/cloud/index.html
https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release
https://cloudone.trendmicro.com/docs/
https://azure.microsoft.com/en-us/services/devops/