cbcontainers-hardening-enforcer

The cbcontainers-hardening-enforcer component is responsible for enforcing container security hardening policies.

The cbcontainers-hardening-enforcer component:

Evaluates policy block rules through a validating webhook and blocks creating and updating Kubernetes objects accordingly.
Evaluates policy enforce rules through a mutating webhook and modifies created and updated Kubernetes objects accordingly.


Image	cbartifactory/guardrails-enforcer
Opened ports	443/TCP (Kubernetes Service), 8080/TCP (Kubernetes Pods) - mutating and validating webhooks entry point Note: You might need to open port 8080 from the master nodes to kubelet nodes in the FW.
Connects to Kubernetes services	`kubernetes.default.svc` (Kubernetes API server)
Connects to backend	`events.containers.carbonblack.io:443` (gRPC) `defense-prod05.conferdeploy.net:443`
NO_PROXY requirements	The Kubernetes API server IP addresses (resolved from `kubernetes.default.svc`within the cluster)
Requested resources	CPU- 30m, Memory - 64Mi
Resource limits	CPU- 200m, Memory - 256Mi
Replica count (min & def)	Min- 1, Default - 1
Horizontal Scaling	Scaling is done by the operator. You can manually set the number of replicas in the CRD. `<spec.components.basic.enforcer.replicasCount>`
Tolerances	`node.kubernetes.io/not-ready:NoExecute` op=Exists for 300s `node.kubernetes.io/unreachable:NoExecute` op=Exists for 300s
Is privileged	No