R
R
RapidFort User Documentation
Search…
Welcome to RapidFort
RapidFort Support
RapidFort SaaS
RapidFort SaaS Solution
RapidFort On-Premises
RapidFort On-Premises Solution
RapidFort AWS Prerequisites
RapidFort Helm Chart AWS Deployment
RapidFort Standalone AWS Commercial Console Deployment
RapidFort Standalone AWS GovCloud Console Deployment
Using RapidFort
RapidFort Command Line Interface Tools
RapidFort User Interface
RapidFort Service Accounts
Getting Started Guides
Getting Started: Stub and Harden a Docker Image
Getting Started: Stub and Harden a Docker Image with Docker-Compose
Getting Started: Stub and Harden a Docker Image with Kubernetes
Getting Started: Stub and Harden a Docker Image with GitLab
Getting Started: Stub and Harden a Docker Image with Bitbucket
Getting Started: Scan a Docker Image
How To Guides
Add the SYS_PTRACE Linux Kernel Capability
Verify that Profiling Information is Propagated to RapidFort
Download Reports
RapidFort GitLab CI/CD Integration
Using RapidFort with Helm Charts
Scanning with RapidFort
Overview
Registry Configuration
Scanning Images
Scanning Container Registries
Scanning Amazon Elastic Container Registry (ECR) Images
Advanced Features
Workload Tags
Hardening Features
Hardening Profiles
Powered By GitBook
Getting Started: Stub and Harden a Docker Image with Kubernetes
Use the RapidFort Command Line Interface (CLI) tools to stub and harden a Docker image with Kubernetes

Prerequisites

You will need the following:
  • RapidFort server (SaaS or On-Premises) and account
  • Client System with the RapidFort Command Line Interface Tools installed
  • Kubernetes
    • Make sure that your Kubernetes environment has access to the RapidFort server
  • Container Registry (for example, Amazon Elastic Container Registry, Docker Hub, Microsoft Azure Container Registry, and so forth)

Stub, Test, and Harden the MySQL Docker Image

In this tutorial, we will stub, test, and harden the MySQL Docker image.
Original Image: The MySQL Docker image available directly from Docker Hub. The original image has not yet been optimized and secured by RapidFort and may have known vulnerabilities.
Stub Image: The original image with additional dependencies necessary for RapidFort to trace the runtime behavior.
Hardened Image: The optimized and secured image generated by RapidFort.

Part 1: Get and Deploy the Original Image

Step 1.1: Pull the Original Image

First, pull the latest MySQL Docker image from Docker Hub:
1
docker pull mysql:latest
Copied!

Step 1.2: Push the Original Image to Your Container Registry

Tag the MySQL Docker image and push the image to your container registry so that we can deploy this with Kubernetes.
1
docker tag mysql:latest registry.example.com/mysql:latest
Copied!
1
docker push registry.example.com/mysql:latest
Copied!

Step 1.3: Deploy the Original Image

Download the sample Kubernetes manifest file for deploying the original image to your client system.
Update the image: field to point to your container registry.
mysql.yaml
1
apiVersion: v1
2
kind: Pod
3
metadata:
4
name: mysql
5
labels:
6
name: mysql
7
spec:
8
containers:
9
- name: mysql
10
image: registry.example.com/mysql:latest
11
env:
12
- name: "MYSQL_USER"
13
value: "mysql"
14
- name: "MYSQL_PASSWORD"
15
value: "mysql"
16
- name: "MYSQL_DATABASE"
17
value: "example"
18
- name: "MYSQL_ROOT_PASSWORD"
19
value: "secret"
20
ports:
21
- containerPort: 3306
Copied!
Make a note of the MySQL password (secret).
To deploy the original MySQL container, run the following command:
1
kubectl apply -f mysql.yaml
Copied!

Step 1.4: Test the Original MySQL Container

Test the original MySQL container.
1
kubectl exec -it mysql -- bash
Copied!
Run the following command. You will be prompted for the MySQL password (secret).
1
kubectl exec -it mysql -- mysql -u root -p -e 'show databases'
Copied!

Step 1.5: Remove the Original MySQL Pod

After testing the original MySQL container, run the following command to remove the pod:
1
kubectl delete -f mysql.yaml
Copied!

Part 2: Generate and Deploy the Stub Image

If you have not already done so, please install the RapidFort CLI tools on your client system.

Step 2.1: Log into RapidFort

Log into RapidFort. Enter your password if prompted.
1
rflogin <email_address>
Copied!

Step 2.2: Generate a Stub Image

Run rfstub to generate a stub image.
1
rfstub registry.example.com/mysql:latest
Copied!
By default, this will generate a stub image called registry.example.com/mysql:latest-rfstub.

Step 2.3: Push the Stub Image to the Container Registry

Push the stub image to the container registry so that we can deploy this with Kubernetes.
1
docker push registry.example.com/mysql:latest-rfstub
Copied!

Step 2.4: Deploy the Stub Image

Download the sample Kubernetes manifest file for deploying the stub image to your client system.
Update the image: field to point to your container registry.
mysql-stub.yaml
1
apiVersion: v1
2
kind: Pod
3
metadata:
4
name: mysql
5
labels:
6
name: mysql
7
spec:
8
containers:
9
- name: mysql
10
image: registry.example.com/mysql:latest-rfstub
11
securityContext:
12
capabilities:
13
add: ["SYS_PTRACE"]
14
allowPrivilegeEscalation: true
15
readOnlyRootFilesystem: false
16
env:
17
- name: "MYSQL_USER"
18
value: "mysql"
19
- name: "MYSQL_PASSWORD"
20
value: "mysql"
21
- name: "MYSQL_DATABASE"
22
value: "example"
23
- name: "MYSQL_ROOT_PASSWORD"
24
value: "secret"
25
ports:
26
- containerPort: 3306
Copied!
Please note that the Kubernetes manifest file for running the stub image has the following differences from the manifest file for running the original image:
  • The stub manifest file image: field points to the stub image.
  • The stub manifest file contains an additional securityContext section with updates necessary for RapidFort to trace the runtime behavior.
    • The SYS_PTRACE capability must be added
    • Privilege escalation must be allowed (allowPrivilegeEscalation: true)
    • The root filesystem must allow read/write access (readOnlyRootFilesystem: false)
securityContext:
capabilities:
add: ["SYS_PTRACE"]
allowPrivilegeEscalation: true
readOnlyRootFilesystem: false
Please note that you may run the stub image as a non-root user provided that the necessary updates are made to the security context.
Stub images have an additional runtime overhead of approximately 20%. When deploying stub images, please plan to increase CPU and memory resources by 20%.
You may also need to update the livenessProbe and readinessProbe settings.
To deploy the stub MySQL container, run the following command:
1
kubectl apply -f mysql-stub.yaml
Copied!

Step 2.5: Test the Stub MySQL Container

Test the stub MySQL container.
1
kubectl exec -it mysql -- bash
Copied!
Run the following command. You will be prompted for the MySQL password (secret).
1
kubectl exec -it mysql -- mysql -u root -p -e 'show databases'
Copied!

Step 2.7: Verify that Tracing Information is Propagated to the RapidFort Server

Log into the RapidFort dashboard. You should see an image list.
Select the mysql:latest image.
In the left column, select Logs. Verify that the Logs table contains tracing information. You should see file accesses, system calls, and so forth. The Logs table contents are updated in real time.
If the Logs table is empty, please verify the following:
  • The stub image (mysql:latest-rfstub) is currently deployed and running
  • The Kubernetes manifest file for the stub image contains a securityContext section that adds the SYS_PTRACE capability, allows privilege escalation, and allows read/write access to the root filesystem
  • The Kubernetes environment has access to the RapidFort server
When you generate a stub image, RapidFort also scans the original image for packages and known vulnerabilities. You may optionally view the vulnerabilities and packages that were found in the original image from the RapidFort dashboard.

Step 2.8: Remove the Stub MySQL Pod

After testing the stub MySQL container and verifying that profiling information is being propagated to the RapidFort server, run the following command to remove the pod:
1
kubectl delete -f mysql-stub.yaml
Copied!

Part 3: Generate and Deploy the Hardened Image

Step 3.1: Harden the Stub Image

Run rfharden to generate a hardened image.
1
rfharden registry.example.com/mysql:test-rfstub
Copied!
By default, this will generate a hardened image called registry.example.com/mysql:latest-rfhardened.

Step 3.2: Push the Hardened Image to the Container Registry

Push the hardened image to the container registry so that we can deploy this with Kubernetes.
1
docker push registry.example.com/mysql:latest-rfhardened
Copied!

Step 3.3: Deploy the Hardened Image

Download the sample Kubernetes manifest file for deploying the hardened image to your client system.
Update the image: field to point to your container registry.
mysql-hardened.yaml
1
apiVersion: v1
2
kind: Pod
3
metadata:
4
name: mysql
5
labels:
6
name: mysql
7
spec:
8
containers:
9
- name: mysql
10
image: registry.example.com/mysql:latest-rfhardened
11
env:
12
- name: "MYSQL_USER"
13
value: "mysql"
14
- name: "MYSQL_PASSWORD"
15
value: "mysql"
16
- name: "MYSQL_DATABASE"
17
value: "example"
18
- name: "MYSQL_ROOT_PASSWORD"
19
value: "secret"
20
ports:
21
- containerPort: 3306
Copied!
Please note that the Kubernetes manifest file for running the hardened image has the following differences from the manifest file for running the original image:
The hardened manifest file image: field points to the hardened image.
To deploy the hardened MySQL container, run the following command:
1
kubectl apply -f mysql-hardened.yaml
Copied!

Step 3.4: Test the Hardened MySQL Container

Test the hardened MySQL container.
1
kubectl exec -it mysql -- bash
Copied!
Run the following command. You will be prompted for the MySQL password (secret).
1
kubectl exec -it mysql -- mysql -u root -p -e 'show databases'
Copied!

Step 3.5: Remove the Hardened MySQL Pod

After testing the hardened MySQL container, run the following command to remove the pod:
1
kubectl delete -f mysql-hardened.yaml
Copied!

Step 3.6: Visit the RapidFort Dashboard (Optional)

When you generate a hardened image, RapidFort scans the hardened image for packages and known vulnerabilities. Visit the RapidFort dashboard to view known vulnerabilities that were detected in the hardened image and compare the results with the original image.

Review

  • In Part 1, we deployed and tested the original MySQL image.
  • In Part 2, we generated a stub image and deployed and tested the stub MySQL image.
    • When we deployed the stub image, we updated the security context to enable RapidFort to trace the runtime behavior:
      • We added the SYS_PTRACE Linux kernel capability
      • We allowed privilege escalation (allowPrivilegeEscalation: true)
      • We allowed read/write access for the root filesystem (readOnlyRootFilesystem: false)
    • We verified that the tracing information for the stub image was propagated to the RapidFort server.
  • In Part 3, we generated a hardened image and deployed and tested the hardened MySQL image.
Getting Started Guides - Previous
Getting Started: Stub and Harden a Docker Image with Docker-Compose
Next - Getting Started Guides
Getting Started: Stub and Harden a Docker Image with GitLab
Last modified 27d ago
Copy link
Contents
Prerequisites
Stub, Test, and Harden the MySQL Docker Image
Part 1: Get and Deploy the Original Image
Part 2: Generate and Deploy the Stub Image
Part 3: Generate and Deploy the Hardened Image
Review