VMware Tanzu and Entrust CloudControl

- Solutions
  - Strong Identities
    1. Identity Verification
      Enable high assurance identities that empower citizens.
    2. ID Issuance
      Issue safe, secure digital and physical IDs in high volumes or instantly.
    3. User Identity
      Elevate trust by protecting identities with a broad range of authenticators.
    4. Machine Identity
      Issue and manage strong machine identities to enable secure IoT and digital transformation.
    5. Digital Signature
      Use secure, verifiable signatures and seals for digital documents.
  - Secure Payments
    1. Financial Issuance
      Issue digital and physical financial identities and credentials instantly or at scale.
    2. Digital Card Solution
      Issue digital payment credentials directly to cardholders from your bank's mobile app.
  - Trusted Infrastructure
    1. Post-Quantum Cryptography
      Find, assess, and prepare your cryptographic assets for a post-quantum world.
    2. Database Security
      Secure databases with encryption, key management, and strong policy and access control.
    3. Multi-cloud Security
      Keys, data, and workload protection and compliance across hybrid and multi-cloud environments.
- Industry
- Compliance
  - 1. PSD2
    2. HIPAA
    3. GDPR
    4. Swift
  - 1. CMMC
    2. eIDAS
    3. NITES
- Featured Products
  - As a Service Products
    1. Identity Verification as a Service
      Citizen verification for immigration, border management, or eGov service delivery.
    2. Identity as a Service (IDaaS)
      Cloud-based Identity and Access Management solution.
    3. Digital Signing as a Service
      Cloud-based digital signing solutions.
    4. Instant ID as a Service
      Issue physical and mobile IDs with one secure platform.
  - 1. Digital Card Solution
      Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    2. PKI as a Service
      A highly secure PKI that’s quick to deploy, scales on-demand, and runs where you do business.
    3. nShield as a Service
      Subscription-based access to dedicated nShield HSMs for cloud-based cryptographic services.
    4. Seamless Travel as a Service
      Remote identity verification, digital travel credentials, and touchless border processes.
  - 1. Instant Financial Issuance
      In-branch and self-service kiosk issuance of debit and credit cards.
    2. Central Financial Issuance
      High volume financial card issuance with delivery and insertion options.
    3. Instant ID Issuance
      Secure issuance of employee badges, student IDs, membership cards and more.
    4. Central ID Issuance
      Passports, national IDs and driver licenses.
    5. nShield HSMs
      Securely generate encryption and signing keys, create digital signatures, encrypting data and more.
  - 1. Cloud Security, Encryption and Key Management
      Powerful encryption, policy, and access control for virtual and public, private, and hybrid cloud environments.
    2. Digital Certificates
      TLS/SSL, digital signing, and qualified certificates plus services and tools for certificate lifecycle management.
    3. Identity and Access Management (IAM)
      One Identity portfolio for all your users — workforce, consumers, and citizens.
    4. Machine Identity Management
      Centralized visibility, control, and management of machine identities.
    5. Post-Quantum
      Learn what steps to take to migrate to quantum-resistant cryptography.
- Enterprise ID & Issuance
  - Instant ID as a Service
    Issue physical and mobile IDs with one secure platform.
    Learn More
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
- Financial ID & Issuance
  - Digital Card Solution
    Instantly provision digital payment credentials directly to cardholder’s mobile wallet.
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
    1. Sigma Direct-to-Card System
    2. Artista Retransfer System
    3. System Software
      Personalization, encoding and activation.
    4. Supplies
    5. Services
  - Central Issuance
    1. Card Issuance Systems
    2. Inline Card Delivery Systems
    3. Inline Envelope Insertion Systems
    4. Standalone Card Affixing/Envelope Insertion Systems
    5. Standalone Envelope Insertion Systems
    6. System Software
      Personalization, encoding, delivery and analytics.
    7. Supplies
    8. Services
- Government ID & Issuance
  - Digital Citizen
    1. eGovernment service delivery
    2. Identity Verification as a Service
    3. Seamless Travel as a Service
    4. ePassport as a Service
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
      ID Personalization, encoding and delivery.
    7. Supplies
    8. Services
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. Sigma Direct-to-Card System
    3. Artista Retransfer System
    4. System Software
      Personalization, encoding, delivery and analytics.
    5. Supplies
    6. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - 1. CloudControl Enterprise for AWS
      Secure and ensure compliance for AWS configurations across multiple accounts, regions and availability zones.
    2. CloudControl Enterprise for Containers
      Security compliance and environmental hardening solution for contains and Kubernetes using VMware Tanzu and RedHat OpenShift platforms.
    3. CloudControl Enterprise for Swift
      Meet the compliance requirements for Swift’s Customer Security Program while protecting virtual infrastructure and data.
    4. CloudControl Enterprise for vSphere and NSX
      Comprehensive compliance, multi-factor authentication, secondary approval, RBAC for VMware vSphere NSX-T and VCF.
    5. CloudControl Foundation for vSphere
      Comprehensive compliance for VMware vSphere, NSX-T and SDDC and associated workload and management domains
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - 1. KeyControl for KMIP and Secrets
      Manage all your secrets and encryption keys, including how often you rotate and share them, securely at scale.
    2. KeyControl BYOK
      Create and manage encryption keys on premises and in the cloud. Manage your key lifecycle while keeping control of your cryptographic keys.
    3. KeyControl for Database Encryption
      Integrates with your database for secure lifecycle management of your TDE encryption keys.
    4. KeyControl for Backup and Recovery
      Integrates with your backup and recovery solution for secure lifecycle management of your encryption keys.
  - 1. DataControl for Azure
      Data encryption, multi-cloud key management, and workload security for Azure.
    2. DataControl for AWS
      Data encryption, multi-cloud key management, and workload security for AWS.
    3. DataControl for IBM Cloud
      Data encryption, multi-cloud key management, and workload security for IBM Cloud.
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - nShield as a Service
    1. Subscription-based access to dedicated nShield Cloud HSMs.
  - nShield HSMs
    1. nShield Connect
      Networked appliances that deliver cryptographic key services to distributed applications.
    2. nShield Solo
      PCI-Express card-based HSMs.
    3. nShield Edge
      Personal, USB-connected desktop HSMs.
  - Management and Monitoring
    1. nShield Monitor
    2. nShield Remote Administration
  - CodeSafe
    1. SDK for securing sensitive code within a FIPS 140-2 Level 3 certified nShield HSM.
    2. Post-Quantum SDK
  - Software Option Packs
  - Compliance and Certification
    1. FIPS 140-2/140-3
    2. Common Criteria
    3. eIDAS
    4. NIST 800-53
    5. GDPR
    6. PSD2
    7. HIPAA
    8. PCI-DSS
    9. NITES
  - Why you need an HSM
    1. Learn about all the details related to what hardware security modules offer you in security and cost savings...
    2. Learn More
  - Use Cases
- TLS/SSL Certificates
  - BUY NOW
    1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Integrations
  - Testimonials
  - Workforce
  - Consumer and Citizen
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
- Public Trust Certificates
  - Verified Mark Certificates (VMCs) for BIMI
    Show your official logo on email communications. Download our white paper to learn all you need to know about VMCs and the BIMI standard.
    Learn More
  - Buy and Renew TLS/SSL Certificates
    1. Buy Certificates
    2. Renew Certificates
  - Signing Certificates
  - Qualified Certificates
    1. PSD2 Qualified Electronic Seal Certificates
  - Sales and Services
- Public Key Infrastructure (PKI)
  - PKI as a Service
    1. Use Cases
    2. Post-Quantum PKIaaS
  - PKI Products
  - Managed Services
  - Certificate Lifecycle Management
  - Cryptographic Center of Excellence
    1. PKI Health Check
    2. Cryptographic Health Check
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Internet of Things (IoT) Security
  - Credentialing and Provisioning
  - Machine Identity Management
  - Global PKI IoT Trends Study
    Find out how organizations are using PKI and if they’re prepared for the possibilities of a more secure, connected world.
    Learn More
- Machine Identity Management
  - Lifecycle Management
  - Credentialing and Provisioning
  - The State of Machine Identity Management
    A recent survey by IDG uncovered the complexities around machine identities and the capabilities that IT leaders are seeking from a management solution.
    Get the White Paper
- Post-Quantum
  - Issuance and Provisioning
    1. PKI as a Service PQ
    2. PQ Standards and Research
  - Cryptographic Center of Excellence
    1. Crypto Health Check
    2. PKI Health Check
  - Are you ready for the threat of post-quantum computing?
    Know where your path to post-quantum readiness begins by taking our assessment.
    Begin Assessment
- Partners
  - Become an Entrust Partner
    Our partner programs can help you differentiate your business from the competition, increase revenues, and drive customer loyalty. Consider joining one or more of our Entrust partner programs and strategically position your company and brand in front of as many potential customers as possible.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology alliance partners.
    Search for a Partner
  - Programs
  - Partner Logins
- Support & Services
  - Contact Support
  - TrustedCare
    Product downloads, technical support, marketing development funds.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - PKI Professional Services
  - Cryptographic Center of Excellence
    Construct best practices and define strategies that work across your unique IT environment.
    Learn More
  - Custom Cryptographic Solutions
    1. Code Signing
    2. HSM Application Integration
  - Product Deployment Services
  - Packaged Services
  - Training
- Resources
  - Issuance Systems Knowledge Base
    Technotes, product bulletins, user guides, product registration, error codes and more.
    Learn More
  - Digital Security Knowledge Base
    Guides, white papers, installation help, FAQs and certificate services tools.
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - 1. Leadership
    2. Blog
    3. Careers
    4. Events
    5. Webinars
    6. Podcasts
    7. News Articles
    8. Press Releases
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Shop
  - Entrust Certificate Services Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Entrust Certificate Services Retail
    Shop for new single certificate purchases.
    Learn More
  - Entrust Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- Search Entrust
  - Search:

Introduction
- Product configurations
- Requirements
Procedures

Introduction

This guide describes how to integrate VMware Tanzu Kubernetes clusters with Entrust CloudControl. Entrust CloudControl organizes your cluster inventory into categories to help you find information about your Tanzu deployment. Entrust CloudControl uses role and asset-based access control to help you define who can do what to which cluster objects. It also uses image deployment control policies that can be applied to your cluster infrastructure ensuring ongoing compliance with your organization security policies.

Product configurations

Entrust has successfully tested the integration of Entrust CloudControl with VMware Tanzu in the following configurations:

System	Version
VMware vCenter	7.0.1 U1 (build-16858589)
Kubernetes Version	v1.18.19+vmware.1
Entrust CloudControl	6.5.0

Requirements

Before starting the integration process, familiarize yourself with:

The documentation and setup process for VMware Tanzu.
The documentation and setup process for Entrust CloudControl. The online documentation contains everything you need to successfully install and deploy CloudControl.

Procedures

This guide uses a standalone CloudControl deployment and does not use Active Directory. All users are local to the system. CloudControl supports a cluster environment. For more information refer to the Entrust CloudControl Installation Guide in the online documentation.

Download the CloudControl software

Go to https://my.hytrust.com/s/software-downloads .
Log in and select HyTrust CloudControl .
Open the folder HTCC_6.5.0_2022-03-01 . This folder contains version 6.5.0 that was used in this guide.
Select the Entrust-CloudControl-6.5.0.650509.zip link to download the file.
After the file has been downloaded, open the ZIP file to access to the OVA file.

Set up a content library in vCenter for the CloudControl OVA

Log in to vCenter.
Go to Menu > Content Libraries .
Create a content library called HyTrust CloudControl .
In the HyTrust CloudControl library, select Actions > Import item . For example:

The Import Library Item dialog appears.
Select Local File and upload the CloudControl OVA file.
After the file has been uploaded, select Import to import the OVA file into the library.

Deploy the CloudControl VM from the OVA

After the file has been imported into the content library, it will be listed accordingly. Right-click on the Name and select New VM from this Template to deploy the VM.

Follow the instructions during the deployment as needed.

Note	For more information refer to Installing CloudControl from an OVA in the online documentation.

Power on the appliance

Log in to the vSphere Client.
Locate the Entrust CloudControl virtual machine in the inventory.
Right-click the CloudControl virtual machine and select Power > Power On .

Configure the CloudControl virtual appliance

This guide uses a Standalone Node setup. For more information refer to Creating a Standalone Node in the online documentation.

Set up the CloudControl GUI

After the standalone node has been configured, you will need to finish the setup using the GUI. For more information refer to Setting Up the CloudControl GUI in the online documentation.

VMware Tanzu prerequisites

There are some VMware Tanzu prerequisites so it can be used in CloudControl.

For more information refer to VMware Tanzu Prerequisites in the online documentation.

VMware Tanzu setup

This guide does not describe the deployment of a VMware Tanzu cluster. Refer to the VMware documentation for details.

Assuming you have a VMware Tanzu cluster setup, you will need the cluster kubeconfig file to be able to onboard the cluster into CloudControl. You will also need a client machine that you can run the commands specified in this guide with the kubectl command installed.

The examples in this guide use a CentOS 8 virtual machine which will be referred to as the kubectl node from now on.

Log into your kubectl node client machine.
On the kubectl node log into the VMware Tanzu Management/Supervisor cluster:
```
% kubectl vsphere login --vsphere-username [email protected] --server=https://xx.xxx.xxx.xx --insecure-skip-tls-verify
```
Once this command is executed successfully, can use the $HOME/.kube/config file for on-boarding. This will be the config file to onboard the Management/Supervisor cluster. Save this file in your $HOME directory and name it management.kubeconfig.txt .
```
% cp $HOME/.kube/config $HOME/management.kubeconfig.txt
```
To get the Tanzu Kubernetes cluster config file, log into the Tanzu Kubernetes cluster:
```
% kubectl vsphere login --vsphere-username [email protected] --server=https://xx.xxx.xxx.xx --insecure-skip-tls-verify --tanzu-kubernetes-cluster-namespace qanamespace --tanzu-kubernetes-cluster-name qa-tkg-cluster-01
```
In this example, the namespace for our cluster is qanamespace and the cluster name is a-tkg-cluster-01 . These are just examples. Use what applies to your environment.

Once this command is executed successfully, you can use the $HOME/.kube/config file for on-boarding. This will be the config file to onboard the Tanzu Kubernetes cluster. Save this file in your $HOME directory and name it tanzucluster.kubeconfig.txt .
```
% cp $HOME/.kube/config $HOME/tanzucluster.kubeconfig.txt
```
$HOME/.kube/config is the file needed to onboard the clusters in CloudControl. For Tanzu, you will need the following two files:
1. management.kubeconfig.txt - for the Management/Supervisor cluster.
2. tanzucluster.kubeconfig.txt - for the Tanzu Kubernetes cluster.

Both clusters will have to be on-boarded into CloudControl.

You can now add the Tanzu clusters into CloudControl, see On-board the Tanzu clusters .

On-board the Tanzu clusters

On-boarding is the process of adding the Tanzu Kubernetes clusters into CloudControl.

For more information refer to Adding a VMware Tanzu Cluster in the online documentation.

For Tanzu you will need to import the Tanzu Management cluster and at least a Tanzu Kubernetes cluster.

On-boarding the Tanzu Management cluster

From the Home tab, select Inventory > Kubernetes Clusters .
On the Clusters page, select Actions > Add Kubernetes Cluster .

If there are no clusters in your system, you can also select Add Kubernetes Cluster on the Kubernetes Clusters page.
On the Add Kubernetes Cluster Import tab, choose one of the following:
- Select Import File , then select Browse and choose the kubeconfig file that you want to import.
- Select Enter Text , then paste the contents of the kubeconfig file as plain text.
A kubeconfig file is a configuration file written in YAML that describes the cluster that you want to add.

To import the Management cluster, use the Management cluster config file produced earlier, management.kubeconfig.txt .
Select Enter Text , then paste the contents on the Management cluster config file as plain text.
Select Continue .
On the Clusters tab, select the Tanzu Management cluster you want to add and select Continue .

You can only select one cluster. Select the Tanzu Management cluster IP address or FQDN.
The Select User dialog appears. Select the user who has access to the cluster.
Select Continue .
On the About tab, enter the following:
- Friendly Name : Enter the user-facing name for the cluster.
- Password : Enter the password for the user selected who has access to the cluster. In this example, that is the same password used by [email protected] .
  
  For the Vendor Type , CloudControl detects that this is a Tanzu Management cluster.
Select Continue .
On the Details tab, you can monitor the process.
Select Continue .
On the Master Nodes tab, a list of nodes will be displayed with their name, IP, and hostname information.
Select Continue .
After the cluster has been imported into CloudControl the cluster dashboard is shown.

On-boarding the Tanzu Kubernetes cluster

After that the Tanzu Management cluster has been on-boarded, you can import a Tanzu Kubernetes cluster.

From the Home tab, select Inventory > Kubernetes Clusters .
On the Clusters page, select Actions > Add Kubernetes Cluster .
On the Add Kubernetes Cluster Import tab, select Enter Text , then paste the contents of the kubeconfig file as plain text.

To import the Tanzu Kubernetes cluster, use the Tanzu cluster config file tanzucluster.kubeconfig.txt .
Select Enter Text , then paste the contents on the Tanzu Kubernetes cluster config file as plain text.
Select Continue .
On the Clusters tab, select the Tanzu Kubernetes cluster you want to add and select Continue .

You can only select one cluster. Select the Tanzu Kubernetes cluster IP address or FQDN.
On the About tab, enter the following:
- Friendly Name : Enter the user-facing name for the cluster.
- Password : Enter the password for the user who has access to the cluster. In this example, that is the same password used by [email protected] .
  
  For the Vendor Type , CloudControl detects that this is a Tanzu Kubernetes cluster.
Select Continue .
On the Details tab, you can monitor the process.
Select Continue .
On the Master Nodes tab, a list of nodes will be displayed with their name, IP, and hostname information.
Select Continue .
In the Enable Access Control dialog, either:
1. Select Enable Access Control to enable the ROOT Access Control Trust Manifest. CloudControl will take control of managing access to the cluster and you will have to create a Trust Manifest Access Control Policy to be able to create and manage objects in the cluster.
2. Select No, not now to wait until later. This feature can be enabled after the cluster has been onboarded.
After the cluster has been imported into CloudControl the cluster dashboard is shown.

View VMware Tanzu Kubernetes cluster inventory

From the Home page, select Inventory > Kubernetes to view the Kubernetes Clusters page. From here, you can view in depth information of all of the objects in that cluster, as well as any tags or policies related to those objects. This information is included in a dashboard or a resource page.

For more information refer to Viewing Kubernetes Inventory in the online documentation.

You can also refer to Navigating Kubernetes Inventory View Pages in the online documentation.

Transfer root access control to CloudControl

When you enable root access control for the Kubernetes cluster, access control of the Tanzu Kubernetes cluster is transferred to CloudControl. This means that management of objects in the cluster will be controlled by CloudControl rules. These rules must be created and defined in CloudControl for you to be able to create, edit, and delete objects in the cluster.

Before root access control is enabled

During the on-boarding process, root access was not enabled for the imported cluster. As a result, you can still create objects at the Tanzu level.

For example, you can create a pod. The pod.yaml file is below:

apiVersion: v1
kind: Pod
metadata:
    name: tutum-centos3
spec:
    containers:
    - name: tutum-ssh-server3
      image: tutum/centos

To create the pod:

% kubectl vsphere login --vsphere-username [email protected] --server=https://xx.xxx.xxx.xx \
  --insecure-skip-tls-verify --tanzu-kubernetes-cluster-namespace qanamespace \
  --tanzu-kubernetes-cluster-name qa-tkg-cluster-01

Password:
Logged in successfully.

You have access to the following contexts:
   xx.xxx.xxx.xxx
   ameynamespace
   ameynamespace-xx.xxx.xxx.xxx
   amolnamespace
   qa-tkg-cluster-01
   qanamespace
   qanamespace-xx.xxx.xxx.xxx
   saketnamespace
   saketnamespace-xx.xxx.xxx.xxx
   subbanamespace
   wld1

If the context you wish to use is not in this list, you may need to try
logging in again later, or contact your cluster administrator.

To change context, use `kubectl config use-context <workload_name>`

% kubectl create -f pod.yaml

pod/tutum-centos3 created

The pod is created successfully. This process will fail if root access control is enabled using default HyTrust Global Access Control Policy, which denies all operations. See Enable root access control .

To delete the pod:

% kubectl get pods
NAME            READY   STATUS    RESTARTS   AGE
tutum-centos3   1/1     Running   0          3m57s

% kubectl delete pod tutum-centos3
pod "tutum-centos3" deleted

The pod is deleted successfully. This process will fail if root access control is enabled using default HyTrust Global Access Control Policy, which denies all operations. See Enable root access control .

Enable root access control

When you enable root access control for the Kubernetes cluster, access control of the Tanzu Kubernetes cluster is transferred to CloudControl.

To enable root access control:

From the Home tab, select Inventory > Kubernetes Clusters .
Select Management to view the clusters.
Select the Tanzu Kubernetes Cluster Name that you want to enable root access control for by selecting the cluster name link.

This action will display the details about the cluster you selected.

If you look into the Details section of the page, you will notice that Access Control is Disabled .
Select the Disable link to Enable Root Access Control .
In the Access Control dialog, set Status to Enabled and select Apply .

After root access is enabled, you cannot work with objects directly. For example, creating a pod:

% kubectl create -f pod.yaml

Error from server (Forbidden): error when creating "pod.yaml": admission webhook "accesscontrol.hytrust.com" denied the request: Permission Denied by HyTrust Security Policy.

In this example, you are unable to create the pod, as CloudControl now controls permissions on the cluster. You must now give users permissions to perform actions, see Create a Trust Manifest Access Control Policy .

Create a Trust Manifest Access Control Policy

After you enable root access control in the cluster, you are unable to create objects in the cluster. This is because cluster permissions are then managed by CloudControl.

This section describes the process to create a Trust Manifest Access Control policy, so a user can manage objects in the cluster.

Log analysis

You can use the logs in the system to check why access has been denied for a request. From this, you can create a Trust Manifest Access Control Policy to allow the user to perform the request successfully. For more information refer to Log Analysis in the online documentation.

Go to the Home tab, select Security > Log Analysis .
Select the record that shows the Deny status to see the reason for the denial.

Look for an entry similar to the following:

In this example, a request to create a pod was denied.

You can now create a Trust Manifest Access Control Policy to allow the user to create the pod.

Create the Access Control Policy

This section describes how to use an Access Control Policy to allow users to create pods in the Tanzu cluster.

In the example below, the Access Control Policy will allow the kubernetes:admin user to create pods in the cluster. Any other user in the system will be denied access.

For details of how to create an Access Control Policy, refer to Creating an Access Control Trust Manifest from the CloudControl GUI in the online documentation.

From the Home tab, select Security > Trust Manifests .
On the Manage Trust Manifests page, select Create Trust Manifest . This is the plus sign in the GUI.
On the Details tab of the Create Trust Manifest page, enter the Name and optional Description for the Trust Manifest.
For Policy Type , select Access Control .
In the Access Control Policy section, enter the name of the rule. That is, ACP .
For Role , select ASC_ContainerInfraAdmin .

This is the role that controls all operation related to creating objects in cluster.
Under Subjects :
1. For Type , select Kubernetes .
2. For Group or User , add:
  k8s::user:kubernetes:admin
  
  k8s::user:sso:[email protected]
Select Validate to validate the policy.
Select Save to save the policy.
Select Publish to publish the policy.

When you publish the policy it will ask you to assign resources to the policy. Select the Tanzu Kubernetes cluster and select Assign .
Select Close .

Test the Access Control Policy

To test if the Access Control policy is working, create the pod:

% kubectl create -f pod.yaml

pod/tutum-centos3 created

The request is successful.

To test the deletion of a pod:

% kubectl delete pod tutum-centos3

Error from server (Forbidden): admission webhook "accesscontrol.hytrust.com" denied the request: Permission Denied by HyTrust Security Policy, Resource not found.

In this example, the resource is not found in CloudControl. This is because the CloudControl has not updated its cluster inventory yet. When you onboard the cluster, it creates an internal job that runs every 5 minutes to update the cluster inventory. This means that the only way to delete the pod in this case is to:

Wait for the cluster inventory job to complete.
Manually sync the inventory.

To manually sync the inventory:

In the Cluster Detail tab, select Actions > Sync Inventory .
Select Initiate Sync .

After the sync completes you should be able to delete the pod. For example:

% kubectl delete pod tutum-centos3

pod "tutum-centos3" deleted

The pod deletes successfully.

Image registries

An image registry is a service that stores your repositories and images. Each repository contains one or more version of the same image. All images in a repository must have the same name, and be differentiated by tags. The tag name corresponds to the version of the image. The most recent image is also tagged as 'latest'.

Image registries are not protected by CloudControl, but adding a registry allows CloudControl to discover valuable information about the registry, such as the number of images and their specific vulnerabilities.

This allows more detailed rules when creating an Image Deployment Control Policy which will be discussed later in this guide. Entrust strongly suggests adding your private image registries to CloudControl for better control during image deployment in Kubernetes.

Add the private registry to CloudControl: xxxx.yyyy.zzz

In the Home tab, Select Inventory > Image Registries to view the registries that have been added to CloudControl.
On the Image Registries page, select Actions > Add Registry .

If there are no registries in your system, you can also select the Add Registry link on the Image Registries page.
On the Add Registry page, in the About tab enter the following information:
1. Name - Name of the registry
2. IP/FQDN - Enter the IP Address or FQDN for the registry.
3. Port - Enter the registry port used in configuration of the local registry.
4. Authorization Schema - Choose one of the following to use for authorization: BASIC or OAUTH .
5. User - Enter the user name for the registry.
6. Password - Enter the password for this user.
7. Description - Enter an optional description.
Select Continue .

If you did not already add a certificate authority, you will be prompted to add one.

In the Missing Certificate Authority window, select Install Certificate Authority Now .
On the Install Certificates page, do one of the following:
1. Select Import and then select Browse to locate the certificate file.
2. Select Enter Text , then paste the contents of the certificate as plain text into Certificate Data .
Select Continue .
On the Details page, you can monitor the process.
Select Continue to view the dashboard for the newly added registry.

You can now create an Image Deployment Control Policy, see Image Deployment Control Policy .

Image Deployment Control Policy

The Image Deployment Control Policy controls how images are deployed in the Tanzu Kubernetes cluster managed by CloudControl. As part of a Trust Manifest, it allows you to determine what images from a registry are safe to be added to your protected clusters.

CloudControl enforces image security using Image Deployment Control Policies, which are comprised of one or more deployment rules:

Private registry rules

Private Registries

Allows you to enter a list of private registries, either onboarded or not, that you want to evaluate with the trust manifest. Only the images from registries listed in the Allowed Registries section are evaluated to see if they can be deployed. Images from all other registries will be denied.
Signature Rule

Allows you to deny images that do not have an associated digital signature.
Attributes Rule

Allows you to deny or deploy images based on their image ID or image name.
Vulnerabilities Rule

Allows you to deny or deploy images based on CVSS scores or specific CVEs.

Public registry rules

A public registry rule enables images from public registries to be deployed in your environment without any evaluation.

Important

Entrust strongly recommends that you do leave the public registry rule set to ENABLED and do not allow public registries to be deployed. If you must use a public registry, then you can leave the rule set to ENABLED and enter that specific registry into the allowed registries. This will allow only that specific registry image to be deployed, and will prevent all other public registry images from deployment.

Other considerations

Rules can either have a True or False value and can also include a 'stop processing' clause. Deployment rules in a policy are evaluated in the following order:

If False, the image will not be deployed, and no further rules are evaluated.
If True, AND there is a 'stop processing' clause, the image is allowed to be deployed and no further rules are evaluated.
If True, the next rule in the policy is evaluated. If this is the only rule, then the image is allowed to be deployed.
If all rules are True, then the image is allowed to be deployed.

Important

Entrust recommends that you always use the image SHA as it is a unique identifier for your images. Pods can be created by using either an image name with tag, or an image name with SHA, and in many cases images with the same SHA could have been tagged with different tags. For example, you could have a single image named TestImage with different tags like TestImage:3 , TestImage:4 , and TestImage:5 , but all these images will have the same SHA as the underlying image is the same for all three of them.

When you create any Image Deployment Control Policy rules, you should use the image name with SHA to ensure that the intended image is evaluated no matter what tags are there. If you use an image name with tag, such as TestImage:3 , then only the image that matches that specific tag will be selected. The other images, TestImage:4 and TestImage:5 will not be evaluated.

Create an Image Deployment Control Policy

This section will show how you can use an Image Deployment Control Policy to control which images are allowed/denied in your deployment.

For more information refer to Creating a Deployment Control Trust Manifest from the CloudControl GUI in the online documentation.

From the Home tab, select Security > Trust Manifests .
On the Manage Trust Manifests page, select Actions > Create Trust Manifest .
On the Details tab of the Create Trust Manifest page, enter the Name and optional Description for the trust manifest.
For Policy Type , select Deployment Control .
In the Deployment Control Rules: Private registries section:
1. For Allowed Registries , enter the registries that you want to allow. That is:
  - Enter the registry that was onboarded: xxxxx.yyyy.zzz .
  - Enter the registries can be existing onboarded registries or registries that you plan to onboard.
  - Enter the registries that have not been onboarded are depicted with a yellow warning icon.
In the Deployment Control Rules: Rules section:
1. For Signature Rule , select either Enabled or Disabled . This determines whether to deny an image when no signature is present.
In the Deployment Control Rules: Rules section:
1. For Attribute Rule , select Enabled or Disabled to determine whether to evaluate using attributes, and then complete the following:
  1. Name - Enter the name of the rule. The name cannot contain any special characters.
  2. Exemption List - Deploy on Match
    
    Select ENABLED or DISABLED to determine whether to use this when evaluating.
    
    If ENABLED , use the + and - symbols to add the following criteria:
    
    Image ID - Enter the image ID in SHA format to match.
    
    Image Name - Enter the Name and Tag Regex to match.
    
    If there is a match, the image will immediately be deployed, and no other deployment policy rules will be evaluated.
    
    If there is no match, continue to the next enabled step.
    
    If there are no other steps, continue to the next rule in the deployment policy.
  3. Whitelist - Deny on No Match
    
    Select ENABLED or DISABLED to determine whether to use this when evaluating.
    
    If ENABLED , use the + and - symbols to add the following criteria:
    
    Image ID - Enter the image ID in SHA format to match.
    
    Image Name - Enter the Name and Tag Regex to match.
    
    If there is no match, the image will immediately be denied, and no other deployment policy rules will be evaluated.
    
    If there is a match, continue to the next enabled step.
    
    If there are no other steps, continue to the next rule in the deployment policy.
  4. Blacklist - Deny on Match
    
    Select ENABLED or DISABLED to determine whether to use this when evaluating.
    
    If ENABLED , use the + and - symbols to add the following criteria:
    
    Image ID - Enter the image ID in SHA format to match.
    
    Image Name - Enter the Name and Tag Regex to match.
    
    If there is a match, the image will immediately be denied, and no other deployment policy rules will be evaluated.
    
    If there is no match, continue to the next rule in the deployment policy.
2. Optional. In the Public Registries section, you can add public registries to be deployed without any evaluation.
  
  Entrust recommends that you leave this section enabled, but do not enter any values for Allowed Registries .
Select one of the following:
- Validate - Validate the draft or existing trust manifest.
- Save - Save the trust manifest as a draft.
- Publish - Publish the trust manifest.

Image Deployment Control Policy examples

In this example, an Image Deployment Control Policy is created. It will only allow images that are in the private registry that was onboarded earlier. Any other image that is not in the private registry will be blocked and will not run.

To be able to publish the policy:

The Restrict Public Registry rule will be enabled.
A fake registry name abc will be added to the exception list. This will force the policy to only allow images in the private registry.

After this policy is published, you can attempt to deploy an image that is not in the registry.

For example, using the pod.yaml file again:

apiVersion: v1
kind: Pod
metadata:
    name: tutum-centos3
spec:
    containers:
    - name: tutum-ssh-server3
      image: tutum/centos

Note	The YAML file is not using an image from the private registry.

% kubectl create -f pod.yaml

Error from server (Forbidden): error when creating "pod.yaml": admission webhook "deploymentcontrol.hytrust.com" denied the request: Permission Denied by HyTrust Security Policy.

In this example, the pod was not deployed because it uses an image from the tutum registry.

To use an image from a private registry using a different YAML file. For example, pod-internal-registry.yaml with the following content:

apiVersion: v1
kind: Pod
metadata:
    name: internalregistry-cv-test
spec:
    containers:
    - name: internalregistry-test
      image: xxxxxx.yyyy.zzz/cv-test:latest

Create the pod:

% kubectl create -f pod-internal-registry.yaml

pod/internalregistry-cv-test created

The deployment is successful, because the Image Deployment Control Policy allows images from the private registry.

You can add the tutum external registry to the external registry exception list, so an external image can also be deployed. For example:

Create the pod using pod.yaml file again:

% kubectl create -f pod.yaml

pod/tutum-centos3 created

The deployment policy is working as designed.

You can expand the policy by further restricting what images can be deployed from the private registry.

To determine what images are in the private registry:

In the Home tab, Select Inventory > Image Registries and select the private registry that was onboarded.
Look at the images that are available in the registry.

You can change the deployment policy to only allow images with name cv-test and with the latest tag. Any other image in the private registry that does not match this requirement in the name will be blocked.

To do this, add an Attribute Rule to the deployment policy. For example:

You can now try to deploy the busybox image in the private registry. To do this, create a file called pod-internal-busybox.yaml with the following content:

apiVersion: v1
kind: Pod
metadata:
    name: internalregistry-busybox
spec:
    containers:
    - name: internalregistry-busybox-test
      image: xxxxx.yyyy.zzz/busybox

When you try to deploy this, it should fail and deny the deployment. For example:

% kubectl create -f pod-internal-busybox.yaml

Error from server (Forbidden): error when creating "pod-internal-busybox.yaml": admission webhook "deploymentcontrol.hytrust.com" denied the request: Permission Denied by HyTrust Security Policy.

You can now deploy the cv-test image in the private registry. To do this, use the pod-internal-registry.yaml file again.

% kubectl create -f

pod/internalregistry-cv-test created

The deployment is successful.

This demonstrates how to harden the Image Deployment Control Policy.

Image Deployment Control Policy based on vulnerabilities

When you onboard a private registry into CloudControl, the system checks the number of vulnerabilities in each image in the registry. Below is an example of what you see on the private registry that was onboarded.

For each image, CloudControl collects the number of vulnerabilities and their types. You can select a link in the Vulnerabilities column to view a pop-up with tabs that include the details.

The Vulnerabilities tab lists each vulnerability with their CVE, severity, and description. Select the CVE link to view details about the CVE. For example:

With this information on hand, now you can create modify the Image Deployment Control Policy to allow/deny deployments based on the number of vulnerabilities an image contain.

For example, modify the current Image Deployment Control Policy to allow any image from the private registry, but only if it has no vulnerabilities. This requires the use of two images from the private registry:

cv-test - which has no vulnerability.
ojw-httpd - which has some vulnerabilities.

Modify the Image Deployment Control Policy

Modify the policy by disabling the Attributes Rule and enabling the Vulnerabilities Rule . The default thresholds will be appropriate for testing.

From the Home tab, select Security > Trust Manifests .
On the Manage Trust Manifests page, select the MyTanzuDeploymentControlPolicy policy.
Select Edit .
Disable the Attribute Rule section under Rules , under Private Registries .
Enable the Vulnerability Rule section.
1. Give a name for the rule, for example My Vulnerability Rule .
2. Take the defaults for the Deny deployment thresholds values.
  
  The ojw-httpd image has more than 30 low severity vulnerabilities.
Select Validate and the select Apply .

You can now test the policy, see Test the policy .

Test the policy

To test the policy, attempt to deploy the cv-test image. Use the same pod-internal-registry.yaml file again.

% kubectl create -f pod-internal-registry.yaml

pod/internalregistry-cv-test created

The deployment succeeds.

Now attempt to deploy the ojw-httpd image. To do this, create a file called pod-internal-cve.yaml with the following content:

apiVersion: v1
kind: Pod
metadata:
    name: internalregistry-ojw-httpd
spec:
    containers:
    - name: internalregistry-ojw-httpd
      image: xxxxx.yyyy.zzz/ojw-httpd:latest

It should fail and be denied.

% kubectl create -f pod-internal-cve.yaml

Error from server (Forbidden): error when creating "pod-internal-cve.yaml": admission webhook "deploymentcontrol.hytrust.com" denied the request: Permission Denied by HyTrust Security Policy.

Examine the logs to see the denial.

Go to the Home tab, select Security > Log Analysis .
Select the record that shows the Deny status to see the reason for the denial.
Look for something like this:

This feature from CloudControl allows you to put in place image deployment control policies that can harden your organization deployment requirements and tailor this capability according to your organization needs.

Table of Contents
Introduction
Procedures

RESOURCES

Integration Guide
VMware Tanzu and Entrust CloudControl
Web Page
Entrust CloudControl: Integration with Tanzu vSphere

Table of Contents