Throughout this walkthrough you will be exposed to VMware’s solution to securing Kubernetes clusters with CBC Container Security. Upon login, instructions provided will detail how to deploy and secure a new cluster with vSphere with Tanzu and CBC Container Security.

CBC Container Security helps organizations reduce risk, obtain compliance and achieve simple, secure cloud-native Kubernetes environments at scale. With a simple, no-friction deployment process, this solution provides the visibility and control that Development and Security teams need to secure Kubernetes clusters and the applications deployed on them. Harness the power of Carbon Black Cloud Container for your build and deploy pipelines, with instant visibility into all your Kubernetes workloads, and the ability to enforce compliance, security, and governance from a single dashboard.

For more best practices on Carbon Black Container Security please visit VMware Carbon Black TechZone here.

You can use vSphere with Tanzu to transform vSphere to a platform for running Kubernetes workloads natively on the hypervisor layer. When enabled on a vSphere cluster, vSphere with Tanzu provides the capability to run Kubernetes workloads directly on ESXi hosts and to create upstream Kubernetes clusters within dedicated resource pools.

By using vSphere with Tanzu you can turn a vSphere cluster to a platform for running Kubernetes workloads in dedicated resource pools. Once enabled on a vSphere cluster, vSphere with Tanzu creates a Kubernetes control plane directly in the hypervisor layer. You can then run Kubernetes containers by deploying vSphere Pods, or you can create upstream Kubernetes clusters through the VMware Tanzu™ Kubernetes Grid™ Service and run your applications inside these clusters.

VMware Tanzu Mission Control™ is a centralized management platform for consistently operating and securing your Kubernetes infrastructure and modern applications across multiple teams and clouds.

Available through VMware Cloud™ services, Tanzu Mission Control provides operators with a single control point to give developers the independence they need to drive business forward, while ensuring consistent management and operations across environments for increased security and governance.

Before you begin this walkthrough please make sure you have the following:

1. A valid Cloud Services account in the VMware Pathfinder environment

2. If using the Horizon Client, ensure it's installed on your machine and that the following ports are open TCP & UDP ports 80, 443, 8443; and if using PCoIP, both TCP & UDP 4172 on your network. You may also access this walkthrough on Horizon via the Browser.

3. When using the walkthrough, please do NOT create more than 1 Tanzu Kubernetes Cluster

Also, we encourage everyone to use the My Documents folder located on the VMware Tanzu Horizon Desktop to store yaml files and container images. This folder is persistent which means that users can retrieve their stored application data across multiple sessions.

To access the CBC Container Security demo perform the following steps.

First, open a web browser, navigate to https://pathfinder.vmware.com and log in with your Cloud Services account. If you do not have an account, click on 'Create your own VMware Account' option on the Pathfinder login screen.

Once logged in, navigate to 'CATALOG' from the top navigation bar, and choose 'Carbon Black' as the product, 'TestDrive' as the Activity Type as shown below.

Click on the 'Get Hands-on with VMware Carbon Black Cloud Container Security' Activity Card, the activity opens up. On the Getting Started page, click on 'Request Access' button located near the bottom-right of this page. This will provision your TMC and vSphere with Tanzu account and display 'Tanzu Missionn Control' and 'Workspace ONE' credentials as shown below. Please note that both your TMC and vSphere with Tanzu accesses are valid for 48 hours in a single session. Once the time expires, you can re-enable access by following the same method.

Next, launch the 'Workspace ONE' link under Access option, you will be redirected to Workspace ONE Access login screen. Use the Workspace ONE Credentials from the Credentials section.

Once logged in, search for 'VMware Tanzu' on the Apps Tab and click on the Horizon Desktop to launch it on your Browser. To launch the Desktop using Horizon Client, click on the Info (i) button and select the 'Client' option.

Now you'll be on the VMware Tanzu Desktop. At this point you can begin the walkthrough steps listed below.

Launch the Carbon Black Cloud shortcut on your desktop as shown.

Login using the credentials listed in Demo Credentials.txt file located on your desktop.

The Carbon Black Cloud dashboard provides a high-level overview of your environment and enables you to quickly navigate to items of interest. You can customize the dashboard tiles and display data for specific time periods and policies.

For this walk through you will have the ability to build a new Tanzu Kubernetes Cluster and deploy CBC Container Security in sections 2 & 3 of this walk through.

Navigate to Inventory > Kubernetes > K8s Clusters to review current cluster management.

CBC Inventory provides Security teams with unified insights across Endpoints, Workloads and Containers. Security teams are able to view all protected and active clusters running within their enterprise.

Expand the ‘>’ under Actions column to review cluster details.

To assess K8s Workloads running within your environment navigate to Inventory > Kubernetes > K8s Workloads.

K8s Workloads | K8s Workloads monitor and provide information for each workload. You can view risk severity, if a workload is covered by a K8s policy, and if there are any policy violations. This helps remediate risks and fix issues at a workload level in your K8s environment.

To understand your current state of you K8 Workloads navigate to Harden > K8s Health

Kubernetes Health Overview: Provides a single pane of glass for complete visibility into your security posture across k8s clusters and namespaces, including visibility into rules violations and configurations. The K8s Health page shows the current state of your Kubernetes environment and a summary on potential vulnerabilities. The vulnerabilities are split into four categories: Workloads, Network, Operations, and Volume.

Next, let's switch the Tab from Overview to Risks. For more details on a particular risk, highlight it by clicking on the right hand arrow '>'

Kubernetes Health Risks: The K8s Health page displays identified risks and associated workloads after setting up your Kubernetes clusters. Reduce risks in your K8s environment and create policies to enforce Alert or Block actions in the future if any rule validation fails. The K8s Health page will reflect all changes in your environment once you have taken action to resolve any potential vulnerabilities. Risk is defined by KCCSS which scores risk based on:

To get hands-on with the VMware Cluster and Security Deployment, we will:

On your VMware Tanzu Desktop, launch the 'Tanzu Mission Control' Chrome Shortcut

You will be redirected to the VMware Cloud Services login page. Use your email address associated with your VMware ID account, followed by your VMware ID password. You can look at the Credentials section below to find your VMware ID.

Once logged in, you should see a My Services page with 'VMware Tanzu Mission Control' listed as a product in it. Launch the product.

If you don't see it, then click on your username on the Cloud Services page -> Change Organization and make sure you have selected 'Pathfinder Services' as your Organization. After that, you should see the TMC product.

Now that you're logged in, you should see the 'Clusters' page as your default landing page. We will create a Tanzu Kubernetes Cluster next. Click on 'Create Cluster'

On the next screen that comes up, click the radio button next to pathfinder-tanzu and 'Continue to Create Cluster'

Choose the provisioner as pathfinder-tanzu from the dropdown and click 'NEXT'

Let's name your cluster. Use the format <your-username>-tanzu for your cluster name.
​
Next we must click on Cluster Group, by default you will see "pathfinder-tanzu-demo". Click on the 'X' to delete this entry value
​
Now click the drop down to select the Cluster Group name that should be auto-populated with the name formatted as <your-username>###. Click 'NEXT'
​
Note: Tanzu will not let you finish creating your cluster in the following steps if you leave the Cluster Group name as the default value of "pathfinder-tanzu-demo"

Under the configure section, select your desired Kubernetes version and click 'NEXT'.

PLEASE NOTE that the highest supported version for this demo is v1.18.5. You may want to select 'vsphere-with-tanzu-storage-policy' as your persistent volume storage (Optional).

On the 'Select Control Plane' page, use Single Node with Instance Type as 'best-effort-small (2vCPU, 4GB RAM)' and click 'NEXT'.

NOTE: Since this is a shared demo environment, we request all users to follow the guidelines for selecting Instance Types to optimize resource usage.

On the 'Edit and Add Node Pools' page, select the Worker Instance Type as 'best-effort-small (2vCPU, 4GB RAM)' and number of worker nodes = 1 (default) and click on 'CREATE CLUSTER'

NOTE: Since this is a shared demo environment, we request all users to follow the guidelines for selecting Instance Types to optimize resource usage.

You will now see a screen with message 'Your cluster is being created'. Please allow 5-7 minutes for the Tanzu Kubernetes Cluster to show as 'Ready'

Once your cluster is ready, click on 'Actions' at the top right corner and choose 'Access this cluster'

A new dialog box will open. Click on 'DOWNLOAD KUBECONFIG FILE' and Save As 'config.yml'

NOTE: It is important to save the file as config.yml in order for the next set of steps to work.

Launch Windows PowerShell from the Desktop by double clicking on the shortcut. Set the KUBECONFIG environment variable to point to our config.yml file saved in the previous step by copying the below command and pasting it in PowerShell.

Once the environment variable is set successfully, enter the command to list all pods.

You will get a message asking for the API Token which will be available from TMC. Click on your username -> My Account (under User Settings) to launch the 'My Account' page.

On this page, navigate to 'API Tokens' tab and click on 'GENERATE TOKEN' to generate a new token. Give it a name (for e.g. <your-username>-tanzu) and select the 'All Roles' checkbox. Click on 'GENERATE'.

Your token will be generated. Next, copy the token by highlighting it and using Ctrl + C (Windows) or Command (⌘) + C (macOS). Alternatively use your mouse right click button to Copy.

In the next step you will paste your API Token into the PowerShell CLI window. We also recommend that you save the API Token in a text file on your VMware Tanzu Horizon Desktop.

​NOTE: Do not rely on the 'COPY' button to copy your API Token. This is a bug with this release of Tanzu. Please use the copy methods above to copy the API Token value. Do not exit this screen until you verify that you've saved your API Token.

Paste your copied token on your Windows PowerShell window by using Ctrl + V (Windows) or Command (⌘) + V (macOS) and hit 'Enter'. You may be asked to set the login-context name, set a name for it (for e.g. <your-username>-tanzu) and hit 'Enter'.
​
You will get a 'context successfully created' message along with a list of all pods running on your cluster. Now we're ready to configure CBC Container Security on this cluster.

To close the API Token popup screen click on the 'COPY' or 'PRINT' button to have the 'CONTINUE' button become clickable to exit this screen.

To navigate back to the TMC Console screen, click on the App Launcher at the top right of the screen and from the drop down click on "VMware Tanzu Mission Control".

NOTE: This step is not required, but to show you how to get back to the Tanzu Mission Control Console in case you would like to explore it further or for debugging your cluster.

Now let's go back to the PowerShell CLI window.

To be able to run workloads on this cluster, we have to add a step to run the following kubectl command:

On your newly deployed Tanzu Kubernetes Cluster, we will deploy CBC Container Security. To register your cluster manually, navigate to Inventory > Kubernetes > K8s Clusters > Add Cluster

Deployment consists of 4 steps:

1. Install Operator: Run the command on your PowerShell CLI

2. Configure Cluster Inputs:

3. Generate Secret:

4. Finish Setup: Run the command given in this step on your PowerShell CLI and click Done when finished

Successful Installation will appear on the K8s Cluster page, refresh to reflect status changes from pending to running.

Kubernetes default configurations, if not modified, can expose a high level of risk to an organization. Misconfigurations pose the highest risk to workload environments. In order to mitigate your organizational risk, security teams should start by enforce pod security standards. Pod Security Standards are defined by Kubernetes, as well as governance bodies such as CIS Benchmarks, which define what standard configurations should be modified in order to promote a better security posture.

To start enforcing these Pod Security Standards teams will typically segment/organize their environment by building scopes I.e. Dev, Production, Application etc to ensure your like assets are protected in a uniform manner. For the purpose of this demonstration we will segment your clusters into your personal scope.

Navigate to Inventory > Kubernetes > K8s Scopes
​

Select 'Add Scope' in top right to get started.

A scope can be defined 3 different ways: cluster, namespace, or namespace in specific cluster. The more specificity defined the higher it will sit in the hierarchy for resolution.

For this walkthrough select the focus of scope as Deploy Phase and add your cluster name in the Clusters selector by selecting it from the dropdown, then click Save.

For more details on scope creation navigate to Help > User Guide

Now that we have defined our demo scope, we will apply your preferred Pod Security Standard to this scope.

Navigate to Enforce > K8s Policies > Add Policy

Create a Policy Name and select your newly created Scope then hit Next.
​

Now you are viewing the Rules page, this page contains a variety of preconfigured rule sets which can control K8s configurations for: Workload Security, Network, Quota, RBAC, Volume, Command and CRD. To get started we will leverage the templated policies which contain the Pod Security Standard guidance.

Select the 'Apply Templates' drop down.

CBC Container Security provides several templated policies to enable organizations to adopt baseline configuration standards as defined by Kubernetes and CIS Benchmarks. These templated policies allow our customers to enforce continuous compliance and enable governance and control over security posture of containerized applications.

Templated Policy Breakdown:

Once you have chosen the desired template policy hit Next.

Typically when applying Pod Security Standards organizations run against challenges verifying the operational impact they will experience. CBC Container Security builds the ability to identify impact in the policy build pipeline.

Review the built in violation simulation to get a picture of what workloads are violating these rules to-date and exclude or scope out where appropriate.

Once you have completed your review, click Save

Apply the compromised container yaml file:

Create a local proxy to reach the exposed dashboard service:

Visit the dashboard by opening http://localhost:8080 on your browser from within the VMware Tanzu Horizon Desktop

Hit Ctrl + C to exit out of the running proxy.

List the myapp pod. Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C

Replace <dashboard-name> in the below command with the App name copied in previous step

List all running processes

Finally, let's exit out of the dashboard using the 'exit' command

Now that you have exec access, you are able to take the execution steps further to expose and compromise the application. For the purpose of understanding your risk and how CBC Container can help you mitigate that risk we will move from alert into a blocking posture.

Navigate to Enforce > K8 Policies select ‘edit’ on your configured Policy.

Under Command, Modify “Exec to container” and “Port Forwarding” to Block.

Hit Next > Next > Save.

Now we will attempt to take the same actions on our second cluster protected via CBC Container Security Policy.

Let us try to execute the local proxy command again to reach the exposed dashboard service. You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies".

Once again, list all pods. Copy the App name (Highlighted in screenshot below) by using Right Click or Ctrl + C

Attempt to Exec to dashboard app

You will see that the request is denied by CBC Container Security "Blocked by Kubernetes security policies"

On your local Browser, attempt to refresh the Dashboard once again. You will not be able to access the site anymore, verifying that CBC Container Security has restricted the vulnerable application.

Navigate to the CBC Console to Harden > K8s Violations to review the block notification verifying the enforcement of pod security standards.

This concludes the walkthrough. Please check out TechZone for more best practices and technical guides. Thank you for your time! Come back soon and try another walkthrough with us!
​

Review Our Knowledge Base

Submit a Ticket