Shifting Left with Magalix
According to RedHatâs State of Kubernetes Security Report Spring 2021:
"Not surprisingly, nearly 60% of respondents have experienced a misconfiguration incident in their environment over the last 12 months. Nearly a third have discovered a major vulnerability, and another third said they've suffered a runtime security incident. lastly, 20% said they had failed an audit.
We get it. Cloud-native security is hard. Even if we shift security as far left as we can, it doesnât mean itâs going to translate instantly for someone who has never had the responsibility of security before. Being faced with a security related error message after a commit can seem alarming at first. This is why Magalix provides detailed descriptions of all violations and detailed instructions on how to resolve them. But is that enough?
Before we dive in, letâs agree that all of us are using git. A git repository is our source of truth and any released version can be deployed at any time. These principles are going to the guiding light for some decision youâll make along the way, such as making a choice to leverage GitOps. For those customers using GitHub, Magalix now supports some advanced features.
Identify Violations Using Magalix and GitHub Actions
When infrastructure and applications are configured declaratively, those that are responsible for managing these systems can use Magalix to incorporate security checks into their existing CI/CD pipelines. Unconfigured security settings, non-compliance, or any other serious misconfiguration discovered at run-time can be costly and could have disastrous outcomes. From 2020 Q3, standards can be enforced at the earliest stages of the software development life cycle using Magalix KubeGuard.
Verbose messaging of test a single Kuberentes manifest against KubeGuard
Since our first release that summer, we have graduated from testing one policy against our KubeGuard policy-on-demand on service, to being able to test all applicable files within a git repository, and then pinpointing exactly where fixes should be implemented within each file.
A GitHub Pull request with suggested fixes in the annotation.
Using our GitHub Action, pull requests are visually modified by adding annotations on the line numbers for what should be fixed. In the image above, we detected on line #28 that âprivilegedâ should be set to âfalseâ, and not âtrueâ, as it is in the code. Those that are not familiar with this can see exactly where the violation is occurring and what needs to change. This not only educates those who are not familiar with why these types of checks are necessary, it allows those to self-serve, make the changes and continue on.
Auto-Remediation
For some larger organizations, it isnât so much about education as it is about volume. The sheer number of existing files and repositories that need to be updated with non-root privileges alone could take years! You could use mutating webhooks in Kubernetes but that doesnât fit with a GitOps approach, where git is the source of truth. If whatâs in the repo isnât whatâs running in the environment right now, whatâs the point of creating a directory structure that represents your environmentâs configuration.
The latest release of our GitHub Action will add simplicity to the process by automatically opening a pull request with the changes set by the Policy enforced.
Automatically opened GitHub Pull Request with the change applied
In the image above, the GitHub Action used the Policies associated with a preconfigured KubeGuard to change the violating values when they are found in a K8s Deployment manifest. You may have also noticed that the formatting got fixed too at line #13. Aside from enforcing the prevention of allowing escalated privileges, other use cases could include mandatory enforcement of using a specific protocol, or standardizing ports.
Conclusion
Identifying violations in your infrastructure as code (and applications) by creating policy-as-code standards is a pathway to shifting security and remediation left. Check code and fix policy violations before merging into the main line branch, and eventually manifesting into Production. Using git as your source-of-truth, having a declarative infrastructure is the perfect candidate to adopt policy-as-code. Enforce standards early on in the development life cycle and prevent costly misconfigurations.
For those using GitHub, Magalix provides additional support by adding inline violation annotations during a pull request when a violation is detected. In addition, our GitHub Action provide Auto-Remediation so pull requests are opened automatically with the fixes already in place.
Let us show you how Magalix and GitHub work together; reach out to one of our experts now.
This article was originally published at Magalix
https://www.magalix.com/blog/identify-iac-violations-and-revert-misconfigured-resources-using-magalix
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Magalix Corp
Magalix
@magalix
User Popularity
124
Influence
13k
Total Hits
6
Posts
Read, Learn, Know, Teach
Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!
Only registered users can post comments. Please, login or signup.