The cbcontainers-hardening-enforcer component is responsible for enforcing container security hardening policies.

The cbcontainers-hardening-enforcer component:

  • Evaluates policy block rules through a validating webhook and blocks creating and updating Kubernetes objects accordingly.
  • Evaluates policy enforce rules through a mutating webhook and modifies created and updated Kubernetes objects accordingly.
Image cbartifactory/guardrails-enforcer
Opened ports

443/TCP (Kubernetes Service), 8080/TCP (Kubernetes Pods) - mutating and validating webhooks entry point

Note: You might need to open port 8080 from the master nodes to kubelet nodes in the FW.
Connects to Kubernetes services kubernetes.default.svc (Kubernetes API server)
Connects to backend events.containers.carbonblack.io:443 (gRPC)

defense-prod05.conferdeploy.net:443

NO_PROXY requirements The Kubernetes API server IP addresses (resolved from kubernetes.default.svcwithin the cluster)
Requested resources CPU- 30m, Memory - 64Mi
Resource limits CPU- 200m, Memory - 256Mi
Replica count (min & def) Min- 1, Default - 1
Horizontal Scaling

Scaling is done by the operator. You can manually set the number of replicas in the CRD.

<spec.components.basic.enforcer.replicasCount>

Tolerances

node.kubernetes.io/not-ready:NoExecute op=Exists for 300s

node.kubernetes.io/unreachable:NoExecute op=Exists for 300s

Is privileged No