The cbcontainers-hardening-enforcer
component is responsible for enforcing container security hardening policies.
The cbcontainers-hardening-enforcer
component:
- Evaluates policy block rules through a validating webhook and blocks creating and updating Kubernetes objects accordingly.
- Evaluates policy enforce rules through a mutating webhook and modifies created and updated Kubernetes objects accordingly.
Image | cbartifactory/guardrails-enforcer |
Opened ports | 443/TCP (Kubernetes Service), 8080/TCP (Kubernetes Pods) - mutating and validating webhooks entry point
Note: You might need to open port 8080 from the master nodes to kubelet nodes in the FW.
|
Connects to Kubernetes services | kubernetes.default.svc (Kubernetes API server) |
Connects to backend | events.containers.carbonblack.io:443 (gRPC)
|
NO_PROXY requirements | The Kubernetes API server IP addresses (resolved from kubernetes.default.svc within the cluster) |
Requested resources | CPU- 30m, Memory - 64Mi |
Resource limits | CPU- 200m, Memory - 256Mi |
Replica count (min & def) | Min- 1, Default - 1 |
Horizontal Scaling | Scaling is done by the operator. You can manually set the number of replicas in the CRD.
|
Tolerances |
|
Is privileged | No |