Deploying Aqua Enforcers

Deploying Aqua Enforcers

This section describes the deployment of an Aqua Enforcer with BOSH on all Diego cells in your CF cluster nodes by using a deployment add-on, which automatically deploys a single Aqua Enforcer container on each Diego cell in your cluster.

First, you create a new Enforcer group in the Aqua Server. An Enforcer group is a set of Aqua Enforcers with the same configuration. You need to create one that will work with Tanzu Application Service (TAS); you cannot use the default Enforcer group for this.

A byproduct of the Enforcer group creation is the add-on required for BOSH. Aqua does not automatically deploy the Enforcer on Diego cells; you do this by using BOSH commands.

All Enforcers deployed with the following commands will have the same configuration. If you need Enforcers with different characteristics, you will need to create one or more additional Enforcer groups.

Create an Enforcer group

  1. In the Aqua UI: Click Enforcers.
  2. Click Add Enforcer Group.
  3. On the Enforcers > Create new group screen that appears, fill in these settings:

Basic parameters

Parameter Description
Enforcer Type Select Aqua Enforcer
Group Name Enter the name for the Enforcer Group; this name will appear in the list of Enforcer groups
OS Type Select the OS type for the host
Orchestrator Tanzu Application Service (TAS)
Service Account (do not specify this)
Container Runtime Select the container runtime environment from the drop-down list
Project (do not specify this)
Logical Name (optional) A logical name for the Enforcer image; this can be any text string
Aqua Gateways Select the Aqua Gateway(s) that the Enforcer will use to communicate with the Aqua Server. At this point, there will be only one Gateway.
Installation Token Leave this field blank; a value will be generated automatically, and used in the DaemonSet
Description (optional) A description for the DaemonSet YAML command

Security settings

Setting Explanation
Enforcement Mode Select Enforcement for the Enforcer to enforce Runtime Policies on containers on this host. Select Audit Only if you do not want the Enforcer to enforce Runtime Policies. In Audit Only mode, the Enforcer will add audit entries for any Runtime Policy violations.
Allowed Aqua Labels Select labels that must be assigned to images in order for the images to be permitted to run on the host; if blank, an image with any (or no) label will be permitted.
Allowed Registries Select registries from which images can be pulled, to run as containers on the host; if blank, all registries are permitted.

Auditing settings

Setting Explanation
Audit host successful login events If selected, successful host logins will generate Audit events.
Audit host failed login events If selected, failed host logins will generate Audit events.

Container Protection settings

Setting Explanation
Image Assurance Selecting this option will prevent containers from running based on Container Runtime Policy controls such as “Block Unregistered Images” and “Block Non-compliant Images”, or the “Blacklisted Images” control under the Default Image Assurance Policy.
Runtime Activity Selecting this option will apply Container Runtime Policies, Image Profiles, and Service membership rules.
System Call Monitoring This option is available only if Runtime Activity is selected. Selecting this option will allow profiling and monitoring system calls made by running containers.
Container Firewall Selecting this option will apply Container Firewall Policies and allow recording network maps for services.
User Access Control Selecting this option will apply User Access Control Policies. Enforcers must be deployed with the “AQUA_RUNC_INTERCEPTION” environment variable set to 0 in order to use User Access Control Policies.

Host Protection settings

Setting Explanation
Runtime Controls Selecting this option will apply host-related Container Runtime Policy controls: Forensics (Host), Whitelisted OS Users and Groups, and Blacklisted OS Users and Groups.

Advanced settings

Setting Explanation
Host Images Discovery Selecting this option will allow Enforcers to discover local host images. The images will be listed under Images → HOST IMAGES, as well as under Hosts, in the Images tabs of given hosts.

  1. Click Create Group. You should see a new screen titled Enforcers > Create new group. The message “Enforcers group successfully created” will be displayed briefly in the upper-right corner of the screen.
  2. Follow the instructions displayed on the screen: