►
From YouTube: Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Handling Container Vulnerabilities with Open Policy Agent - Teppei Fukuda, Aqua Security
A vulnerability scanner for containers doesn’t help a user decide how to handle vulnerabilities. For example, even if a critical vulnerability is found, some organizations may accept the risk of it. The policy for vulnerability handling depends on the organization, and in many cases, the person in charge has to make a manual judgement based on this policy every time. This is time-consuming. This talk demonstrates how to automatically handle vulnerabilities detected by a scanner using OPA. - The vulnerabilities found by a scanner in CI are handled automatically by Open Policy Agent - Applying custom policy, OPA shows users which vulnerabilities to address This automatic vulnerability handling in CI will be demonstrated live, along with Trivy, which is an open source vulnerability scanner for containers. The same policy handling model could be used with any scanner.
https://sched.co/Zekd
A
A
A
A
A
A
A
A
For
that
purpose,
you
can
use
the
vulnerability
scanner,
which
automatically
does
does
the
things
I
explained
just
before.
There
are
many
security
solutions
in
the
cloud-native
area,
mixing
open
source
and
commercial
products.
It
also
includes
3b,
I
developed,
applying
vulnerabilities
scanning
reduces
the
number
of
vulnerabilities
you
have
to
investigate.
A
A
How
can
we
reduce
vulnerabilities
more
take
a
look
at
this
chart?
A
vulnerability
basically
has
a
cvss
based
score,
indicating
the
stability.
The
score
varies
from
0
to
10.
10
means
the
most
critical
cbss
consists
of
three
metric
groups
base
temporal
and
environmental,
but
in
this
presentation
I'll
be
talking
about
the
base
metrics
and
score
because
nvda
provides
base
metrics
only
as
you
can
see,
there
are
not
so
many
high
risk
vulnerabilities
only
five
point.
Seven
percent
of
the
vulnerabilities
have
a
score
of
eight
or
more
filtering
based
on
cvs.
A
A
Let's
consider
whether
the
services
score
is
reliable
in
the
case
of
hard
blade,
which
affects
open,
ssl,
the
cvss
v2
score.
It
sets
5.0
media
according
to
the
cvss
score.
It
doesn't
look
like
it's
a
dangerous
vulnerability.
Can
we
think
of
this
vulnerability
as
negligible
and
ignore
it?
As
noted
in
this
article
hackers
exploited
this
vulnerability,
so
this
vulnerability
is
not
negligible.
A
A
A
Of
course,
if
you
don't
need
it
completely,
you
should
delete
it
from
the
image.
Also,
you
might
be
able
to
accept
the
risk
of
cross-site
scripting.
If
your
system
is
a
static
website
and
you
perhaps
can
ignore
the
vulnerability
which
requires
user
interaction
like
opening
the
email
and
clicking
the
link,
this
policy
should
be
customized
depending
on
your
system
and
requirement,
and
the
system
managing
customers
assets
like
bank
account
and
system
just
publishing
an
article
like
the
blog,
must
have
different
policies.
A
A
Cbss
vector
string
consists
of
eight
elements
called
cbss
metrics.
Each
metric
value
is
used
to
score
the
vulnerability,
for
example,
attack
vector
this
matrix
reflects
the
context
by
which
vulnerability
exploitation
is
possible.
This
metric
value
will
be
larger.
The
more
remote
an
attacker
can
be
in
order
to
exploit
the
vulnerable
component.
A
A
So
it
allows
you
to
handle
vulnerabilities
automatically,
and
I
propose
to
use
open
process
agent
to
automate
vulnerability.
Handling
open
agent
is
open
source
policy,
engine
and
cncf
project.
You
have
to
write
a
policy
written
by
rego
and
pass
it
to
opera
with
input.
Json
opera
evaluates
the
policy
and
returns
the
result,
it's
usable
as
a
library
and
service.
A
Now
you
can
put
the
policy
into
lego.
The
policy
written
in
regal
should
be
like
this
on
the
right.
You
can
see
the
vulnerability
detail
of
the
input
you
can
see.
The
package
name,
cwid
cb
id
services
score
vector
on
the
left.
We
can
see
the
pretty
simple
rules
if
the
package
name
is
bash
or
cw
id
is
79
or
user
interaction
is
required
or
services
based
score
is
less
than
7.
The
vulnerability
is
going
to
be
negligible.
A
A
A
If
it's
not
the
case
in
your
organization,
you
probably
need
the
policy
to
accept
some
risk.
Here's
a
summary
of
what
I've
been
talking
about
so
far
at
first
vulnerability
scanning
filters
to
only
those
vulnerabilities
that
are
relevant
to
your
organization,
then
oprah
filters
out
vulnerabilities
that
you
can
accept
the
risk.
This
whole
process
is
automated.
A
A
A
A
A
Also
when
it's
not
exploitably
motoring,
or
it
requires
high
privilege,
like
administration
or
needs
user
interaction,
and
they
will
be
marked
negligible
in
this
example.
Okay,
so
let
me
show
the
demo
of
integration
into
vcli
at
first.
Let's
try
scanning
center
7
without
any
policy
in
this
demo.
The
result
of
detail
is
not
needed,
so
I
am
redirecting
it
to
the
null.
A
We
can
see
the
number
of
vulnerabilities
622,
it's
a
hard
task
to
check
all
vulnerabilities
next.
Looking
into
the
policy
example,
as
I
explained,
it
ignores
some
packages,
some
disabilities
and
a
vulnerability
that
can't
be
exploited
remotely
or
requires
high
privilege,
like
administrator
or
requires
user
interaction
or
a
cross-site
request.
Forgery.
In
this
case.
A
A
A
A
A
It
works
as
custom
controller
to
scan
an
image
in
advance
and
admission
controller
to
validate
an
image.
A
user
tries
to
deploy.
Let's
take
a
look
at
the
architecture
at
first,
a
user
registers,
an
image
name.
They
want
to
deploy
as
a
custom
resource
to
be
enforcer,
watches
the
custom
resource
as
custom
controller
and
fetches
the
image
name.
A
A
A
If
there
is
no
vulnerability
by
relating
the
policy
to
the
enforcer,
allows,
the
deploy
of
the
image
all
right
so
I'll
demonstrate
how
turbine
processor
works
with
open
agent
in
the
kubernetes
cluster
and
prevents
a
vulnerable
image
from
being
deployed
at
first.
I
am
checking
parts
in
the
default
namespace.
A
A
A
A
A
A
A
A
A
But
we
already
have
the
logic
to
evaluate
the
vulnerabilities
in
tribute
to
ignore,
so
we
can
just
call
the
imported
rule
here
to
contribute
to
ignore,
but
the
ignore
means
you
can
accept
the
risk
while
denies
that
you
cannot
accept
a
risk.
So
we
need
a
not
and
you
can
define
the
message
so,
for
example,
the
image
for
okay.
That's
it.
A
A
A
A
A
A
A
A
A
A
If
you
use
herba
as
a
container
registry,
3b
enforcer
can
clearly
hover
to
fetch
vulnerabilities
of
the
image
because
harvard
supports
image
scanning
in
the
registry.
In
that
case,
you
don't
need
to
add
a
custom
resource
for
free
scanning,
so
I
have
the
demo
of
open
integration
with
hardware
register.
A
A
We
need
a
different
policy
than
the
one
we
just
used
with
3b,
because
hubble
has
a
different
format
of
the
scale
result
so
defining
the
process
for
harder.
The
package
name
must
be
kubernetes
by
dating
harbor
and
includes
deny
with
the
message
in
this
example.
It
just
denies
the
vulnerabilities
of
high
and
critical
stability
and
remove
streams
policy
used
in
the
previous
demo.
A
A
So,
as
you
can
see,
the
image
has
been
created,
so
you
can
probably
image
assurance
throughout
the
development
life
cycle
in
local
development
and
continuous
integration.
You
can
run
3b
cli
with
minus
minus.
Ignore
policy
option
then
to
the
enforcer
can
be
used
in
a
kubernetes
cluster
to
reject
the
drawings
image
with
critical
vulnerabilities.