DocumentationAPI Reference

Helm plugin

Suggest Edits

The Cisco Panoptica Helm plugin works with Helm to identify to Panoptica the pod template workloads you are deploying to your Kubernetes clusters. Panoptica generates an identity for these workloads, which can then be managed by Panoptica Runtime Policies.

The plugin also scans CD workloads before deployment, to look for security issues. You can configure the maximum risk level that will be permitted for a workload to be deployed. Workloads with risk exceeding this level will fail the build stage, and not be deployed.

Scan

The plugin scans the installation bundle (the Helm Chart, for the case of Helm) for the following:

  • Security context - checks for overly permissive configurations, such as privileged pods
  • Roles and ClusterRoles - checks for overly permissive roles
  • ConfigMap and env sections of pods, deployments, and stateful sets - checks for secrets configured as plain text (instead of Kubernetes secrets objects).

Supported platforms

Linux - Ubuntu, CentOS

Install the plugin

Service Account

  1. On the Panoptica console, create a user with the Service role. This user will be used by plugin. Copy the Token values; they will be used by the plugin (see below).
701

Helm 2

  1. Navigate to the Development page, and select the PLUGINS tab. Scroll down to the CD PLUGINS section, and select HELM2.
  2. Download the plugin using the link on the page.
  3. Copy the plugin to the Helm plugin directory.
cd $(helm_home)/plugins
  1. Run this command to unpack the plugin:
tar -xzvf securecn_plugin.tar.gz

Helm 3

  1. Navigate to the Development page, and select the PLUGINS tab. Scroll down to the CD PLUGINS section, and select HELM3.
  2. Download the plugin using the link on the page.
  3. Copy the plugin to the Helm plugin directory.
cd $(helm_home)/plugins
  1. Run this command to unpack the plugin:
tar -xzvf securecn_plugin.tar.gz
  1. Run this command to install the plugin:
helm plugin install securecn
  1. Move the crds folder to the root location of the Helm Chart:
cp -r crds <CHART_FOLDER>

Use in Helm

Use the plugin with Helm install or update commands as follows:

Instead of 

helm install --namespace ... --name ... image

Use

helm securecn --command 'install --name ... image' --namespace ... --access-key <access-key> --secret-key <secret-key> controller-secret-key <controller-secret-key>

The keyword 'securecn' activates the plugin when you deploy your workloads (install or update commands). The plugin uses the YAML file to identify the pod templates in your deployment, and sends information about them to Panoptica.

The namespace flag selects the namespace scope. You can also use kube-context to select the kubeconfig context, and kubeconfig to set the path to the kubeconfig file.

For access-key, controller-secret-key, and secret-key, use the Token keys for the Panoptica service account, created above.

To run a security check before running the command, use this format:

helm securecn --command 'install  --name ... image' --namespace ... --access-key <access-key> --secret-key <secret-key> controller-secret-key <controller-secret-key> --run-security-check --max-risk <risk-level>

The flag max-risk sets the maximum risk level that is permitted in any security issues discovered in the build scan. This can be HIGH, MEDIUM, or NO RISK. If the image risk exceeds the selected level, it will not be deployed. If the flag is omitted, the security check will not block deployment.

Usage

Run the following for help on using the plugin:

helm securecn --help

Updated 9 months ago

What’s Next