Published on 00/00/0000
Last updated on 00/00/0000
Published on 00/00/0000
Last updated on 00/00/0000
Share
Share
6 min read
Share
At Banzai Cloud we always strive to make things simpler and to make complex services available to our customers. We try to reduce the complexity of setting up components and services by automating as much setup as possible - to expose these for users in a transparent, easy to understand manner. This effort led us to introduce integrated services to the Banzai Cloud Pipeline platform. We have already written about what integrated services are, and we also have described a few of them, like automated public DNS management for Kubernetes clusters and cluster expiration.
Banzai Cloud Pipeline is a solution-oriented application platform which allows enterprises to develop, deploy, and securely scale container-based applications in multi- and hybrid-cloud environments. You can easily spin up a cluster on your favorite cloud provider and try the features the platform provides. Integrated services are components available on the platform that are preconfigured with working defaults that provide basic functionality for operating clusters (for example, logging, monitoring, security scan, secret management, DNS, ingress, and backups).
This post describes the security scan integrated service. tl;dr: you can simply enable the security scan integrated service for your cluster and make use of automatic pre-deployment or arbitrary on-demand image vulnerability scans. Many of our clients come from various domains where they need to comply to strict rules and regulations concerning security auditing and regular security upgrades. The security scan integrated service helps them by automating some of these processes.
The service scans the container images that make up an application for possible security issues, and allows or denies deploying the application based on the results of the scan. It does so by engaging a service deployed on the Pipeline control plane (Anchore) and configuring a webhook with the desired security policies. After enabling the service, you can also trigger individual image scans to examine vulnerabilities.
You can find more details about the security scan mechanism in our container vulnerability scans and Image validation with Anchoreblog posts.
Similarly to most of the integrated services, you can enable the security scan integrated service both from the Banzai Cloud Pipeline web interface, and the Banzai Cloud CLI tool.
kubesystem
and pipeline-system
namespaces that cannot be scanned).Open a shell and run the following command:
% banzai cluster service securityscan activate
Complete the interactive wizard, or specify the options in a file or on standard input:
% banzai cluster service securityscan
activate --file - <<EOF { "policy": { "policyId":
"97b33e2c-3b57-4a3f-a12b-a8c0daa472a0" } } EOF
On the integrated service details page deactivate the service by clicking the deactivate button.
Open a shell and run the following command:
% banzai cluster service securityscan deactivate
To demonstrate how to enable and use the security scan integrated service, let's do the following:
Enable the security scan integrated service (use the "built-in" Anchore to keep things simple).
Note: Select the Deny all images policy (no deployments will be allowed)
As expected the application is in rejected state.
By enabling the security scan integrated service you can easily ensure that the container images in the applications deployed to your cluster are secure. You can easily customize the security policy to fit the regulations and internal policies of your company. For more details, check out the documentation of the Pipeline integrated services and the security scan integrated service. Thank you for reading this post and please support us by starring our Pipeline GitHub repository, or by trying out the Banzai Cloud Pipeline platform for yourself.
Banzai Cloud’s Pipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of the Pipeline platform.
Get emerging insights on innovative technology straight to your inbox.
Discover how AI assistants can revolutionize your business, from automating routine tasks and improving employee productivity to delivering personalized customer experiences and bridging the AI skills gap.
The Shift is Outshift’s exclusive newsletter.
The latest news and updates on cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.