Installing K10 with Iron Bank Images
Iron Bank, which is a crucial part of Platform One, the DevSecOps managed services platform for the United States (US) Department of Defense (DoD), acts as the central repository for all hardened images that have gone through the container hardening process. It serves as the DoD's Centralized Artifacts Repository (DCAR), housing these secure images.
All images required to deploy K10 have gone through this process and can be viewed in Iron Bank's catalog.
Note
To view the catalog, registration with Platform One is necessary. If you do not have an account, follow the instructions by clicking the catalog page above to register now.
The catalog page shows the verified findings, compliance details, and overall risk assessment score associated with each image.
Diving into a specific image shows additional information including the
Software Bill of Materials (SBOMs) in both SPDX
and CycloneDX
formats.
It also provides Vulnerability Assessment Tracker (VAT) findings, showcasing
justifications for vulnerabilities and their verification status.
Warning
Getting newly released versions of K10 images through the Iron Bank hardening process can take some time. This may result in the unavailability of new releases for Iron Bank-based deployments for a few days following the release of standard K10 images.
Registry1
Iron Bank uses Harbor for its registry, which can be accessed using your Platform One credentials.
The username and password required for pulling images from Registry1 via the command line can be found by clicking on your profile in the upper right corner.
Note
The password is the same as the CLI secret
token.
K10 images can be found by using the search bar at the top of the screen and
searching for veeam or kasten. Clicking on an image provides more
information, such as the tags
that can be pulled and the sha256
of
the image.
Images are signed by Cosign and the relevant information is shown for each valid image.
Installing K10
Deploying K10 with Iron Bank hardened images is possible using the public Kasten Helm chart. Please ensure that the prerequisites have been met.
Fetching the Helm Chart Values for Iron Bank Images
Before installing or upgrading the chart, download the Iron Bank Helm values file by executing the following command:
$ curl -sO https://docs.kasten.io/ironbank/ironbank-values.yaml
This file contains the correct helm values that ensure the deployment of K10 only with Iron Bank hardened images.
Note
This file is protected and should not be modified. It is
necessary to specify all other values using the corresponding Helm flags,
such as --set
, --values
, etc.
Providing Registry1 Credentials for K10 Helm Deployment
Since all images are pulled from Registry1 for a K10 deployment using Iron Bank hardened images, your credentials must be provided in order to successfully pull the images.
- Credentials can be provided by using either:
--set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG>
, or--set-file secrets.dockerConfigPath=<PATH TO DOCKERCONFIG>
The dockerconfig encoded in base64
can be created with the
jq tool:
jq -nc \
--arg registry "registry1.dso.mil" \
--arg username "${REGISTRY1_USERNAME}" \
--arg password "${REGISTRY1_CLI_SECRET}" \
--arg auth $(printf "%s:%s" "${REGISTRY1_USERNAME}" "${REGISTRY1_CLI_SECRET}" | base64) \
'{"auths":{($registry):{"username":$username,"password":$password,"auth":$auth}}}' \
| base64
Installing K10 with Iron Bank Hardened Images
To install K10 with Iron Bank hardened images, execute the following command:
$ helm upgrade --install k10 kasten/k10 --namespace=kasten-io \
--values=<PATH TO DOWNLOADED ironbank-values.yaml>
--set secrets.dockerConfig=<BASE64 ENCODED DOCKERCONFIG> \
--set global.imagePullSecret=k10-ecr \
...
Warning
The admin
image is not used in Iron Bank deployments,
preventing the download of PDF reports. However, you can still view them
in the K10 UI.
Since the only differences as compared to a standard K10 installation are the images used, the rest of the process can follow the official K10 documentation.
Using Iron Bank K10 Images in an Air-Gapped Environment
Iron Bank hardened K10 images can be used in an air-gapped environment by following the instructions found here.
Implementing Iron Bank for K10 Disaster Recovery
The Iron Bank hardened restorectl
image can be used for K10 disaster
recovery by following the instructions found here.