Installing Veeam Kasten with Iron Bank Images
Iron Bank, which is a crucial part of Platform One, the DevSecOps managed services platform for the United States (US) Department of Defense (DoD), acts as the central repository for all hardened images that have gone through the container hardening process. It serves as the DoD's Centralized Artifacts Repository (DCAR), housing these secure images.
All images required to deploy Veeam Kasten have gone through this process and can be viewed in Iron Bank's catalog.
Note
To view the catalog, registration with Platform One is necessary. If you do not have an account, follow the instructions by clicking the catalog page above to register now.
The catalog page shows the verified findings, compliance details, and overall risk assessment score associated with each image.
Diving into a specific image shows additional information including the
Software Bill of Materials (SBOMs) in both SPDX and CycloneDX formats.
It also provides Vulnerability Assessment Tracker (VAT) findings, showcasing
justifications for vulnerabilities and their verification status.
Warning
Getting newly released versions of Veeam Kasten images through the Iron Bank hardening process can take some time. This may result in the unavailability of new releases for Iron Bank-based deployments for a few days following the release of standard Veeam Kasten images.
Registry1
Iron Bank uses Harbor for its registry, which can be accessed using your Platform One credentials.
The username and password required for pulling images from Registry1 via the command line can be found by clicking on your profile in the upper right corner.
Note
The password is the same as the CLI secret token.
Veeam Kasten images can be found by using the search bar at the top of the
screen and searching for veeam or kasten. Clicking on an image provides
more information, such as the tags that can be pulled and the sha256 of
the image.
Images are signed by Cosign and the relevant information is shown for each valid image.
Installing Veeam Kasten
Deploying Veeam Kasten with Iron Bank hardened images is possible using the public Kasten Helm chart. Please ensure that the prerequisites have been met.
Fetching the Helm Chart Values for Iron Bank Images
Before installing or upgrading the chart, download the Iron Bank Helm values file by executing the following command:
$ curl -sO https://docs.kasten.io/ironbank/ironbank-values.yaml
This file contains the correct helm values that ensure the deployment of Veeam Kasten only with Iron Bank hardened images.
Note
This file is protected and should not be modified. It is
necessary to specify all other values using the corresponding Helm flags,
such as --set, --values, etc.
Providing Registry1 Credentials for Veeam Kasten Helm Deployment
Since all images are pulled from Registry1 for a Veeam Kasten deployment using Iron Bank hardened images, your credentials must be provided in order to successfully pull the images.
- Credentials can be provided by using either:
--set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG>, or--set-file secrets.dockerConfigPath=<PATH TO DOCKERCONFIG>
The dockerconfig encoded in base64 can be created with the
jq tool:
jq -nc \
--arg registry "registry1.dso.mil" \
--arg username "${REGISTRY1_USERNAME}" \
--arg password "${REGISTRY1_CLI_SECRET}" \
--arg auth $(printf "%s:%s" "${REGISTRY1_USERNAME}" "${REGISTRY1_CLI_SECRET}" | base64) \
'{"auths":{($registry):{"username":$username,"password":$password,"auth":$auth}}}' \
| base64
Installing Veeam Kasten with Iron Bank Hardened Images
To install Veeam Kasten with Iron Bank hardened images, execute the following command:
$ helm upgrade --install k10 kasten/k10 --namespace=kasten-io \
--values=<PATH TO DOWNLOADED ironbank-values.yaml>
--set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG> \
--set global.imagePullSecret=k10-ecr \
...
Since the only differences as compared to a standard Veeam Kasten installation are the images used, the rest of the process can follow the official Veeam Kasten documentation.
Using Iron Bank Veeam Kasten Images in an Air-Gapped Environment
Iron Bank hardened Veeam Kasten images can be used in an air-gapped environment by following the instructions found here.
Implementing Iron Bank for Veeam Kasten Disaster Recovery
The Iron Bank hardened restorectl image can be used for Veeam Kasten
disaster recovery by following the instructions found here.