Installing K10 with Iron Bank Images

Iron Bank, which is a crucial part of Platform One, the DevSecOps managed services platform for the United States (US) Department of Defense (DoD), acts as the central repository for all hardened images that have gone through the container hardening process. It serves as the DoD's Centralized Artifacts Repository (DCAR), housing these secure images.

All images required to deploy K10 have gone through this process and can be viewed in Iron Bank's catalog.

Note

To view the catalog, registration with Platform One is necessary. If you do not have an account, follow the instructions by clicking the catalog page above to register now.

The catalog page shows the verified findings, compliance details, and overall risk assessment score associated with each image.

Diving into a specific image shows additional information including the Software Bill of Materials (SBOMs) in both SPDX and CycloneDX formats. It also provides Vulnerability Assessment Tracker (VAT) findings, showcasing justifications for vulnerabilities and their verification status.

Warning

Getting newly released versions of K10 images through the Iron Bank hardening process can take some time. This may result in the unavailability of new releases for Iron Bank-based deployments for a few days following the release of standard K10 images.

Registry1
Installing K10
Using Iron Bank K10 Images in an Air-Gapped Environment
Implementing Iron Bank for K10 Disaster Recovery

Registry1 

Iron Bank uses Harbor for its registry, which can be accessed using your Platform One credentials.

The username and password required for pulling images from Registry1 via the command line can be found by clicking on your profile in the upper right corner.

Note

The password is the same as the CLI secret token.

K10 images can be found by using the search bar at the top of the screen and searching for veeam or kasten. Clicking on an image provides more information, such as the tags that can be pulled and the sha256 of the image.

Images are signed by Cosign and the relevant information is shown for each valid image.

Installing K10 

Deploying K10 with Iron Bank hardened images is possible using the public Kasten Helm chart. Please ensure that the prerequisites have been met.

Fetching the Helm Chart Values for Iron Bank Images 

Before installing or upgrading the chart, download the Iron Bank Helm values file by executing the following command:

$ curl -sO https://docs.kasten.io/ironbank/ironbank-values.yaml

This file contains the correct helm values that ensure the deployment of K10 only with Iron Bank hardened images.

Note

This file is protected and should not be modified. It is necessary to specify all other values using the corresponding Helm flags, such as --set, --values, etc.

Providing Registry1 Credentials for K10 Helm Deployment 

Since all images are pulled from Registry1 for a K10 deployment using Iron Bank hardened images, your credentials must be provided in order to successfully pull the images.

Credentials can be provided by using either:

--set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG>, or
--set-file secrets.dockerConfigPath=<PATH TO DOCKERCONFIG>

The dockerconfig encoded in base64 can be created with the jq tool:

jq -nc \
--arg registry "registry1.dso.mil" \
--arg username "${REGISTRY1_USERNAME}" \
--arg password "${REGISTRY1_CLI_SECRET}" \
--arg auth $(printf "%s:%s" "${REGISTRY1_USERNAME}" "${REGISTRY1_CLI_SECRET}" | base64) \
'{"auths":{($registry):{"username":$username,"password":$password,"auth":$auth}}}' \
| base64

Installing K10 with Iron Bank Hardened Images 

To install K10 with Iron Bank hardened images, execute the following command:

$ helm upgrade --install k10 kasten/k10 --namespace=kasten-io \
    --values=<PATH TO DOWNLOADED ironbank-values.yaml>
    --set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG> \
    --set global.imagePullSecret=k10-ecr \
    ...

Warning

The admin image is not used in Iron Bank deployments, preventing the download of PDF reports. However, you can still view them in the K10 UI.

Since the only differences as compared to a standard K10 installation are the images used, the rest of the process can follow the official K10 documentation.

Using Iron Bank K10 Images in an Air-Gapped Environment 

Iron Bank hardened K10 images can be used in an air-gapped environment by following the instructions found here.

Implementing Iron Bank for K10 Disaster Recovery 

The Iron Bank hardened restorectl image can be used for K10 disaster recovery by following the instructions found here.

Installing K10 with Iron Bank Images

Registry1

Installing K10

Fetching the Helm Chart Values for Iron Bank Images

Providing Registry1 Credentials for K10 Helm Deployment

Installing K10 with Iron Bank Hardened Images

Using Iron Bank K10 Images in an Air-Gapped Environment

Implementing Iron Bank for K10 Disaster Recovery

Registry1 

Installing K10 

Fetching the Helm Chart Values for Iron Bank Images 

Providing Registry1 Credentials for K10 Helm Deployment 

Installing K10 with Iron Bank Hardened Images 

Using Iron Bank K10 Images in an Air-Gapped Environment 

Implementing Iron Bank for K10 Disaster Recovery 