Launch Disallowed Container

​

Event Information

​

Meaning

• The Launch Disallowed Container event in a Kubernetes cluster indicates that a container has been attempted to be launched, but it is not allowed based on the defined policies or compliance standards.
• This event typically occurs when a container image or configuration violates the security policies or compliance requirements set for the cluster.
• It is important to investigate the reason behind the disallowed container launch, review the policies in place, and take necessary actions to ensure compliance and security of the cluster. This may involve updating the policies, modifying the container image or configuration, or seeking approval for the container launch if required.

​

Remediation

1. Identify the namespace in which the disallowed container was launched:

   • Use the kubectl get pods command to list all the pods in the cluster.
   • Look for the pod that triggered the event and note its namespace.

2. Delete the disallowed pod:

   • Use the Python Kubernetes API to create a Kubernetes client.
   • Use the client to delete the pod in the identified namespace using the pod’s name.

3. Ensure compliance by preventing future occurrences:

   • Create a Kubernetes NetworkPolicy to restrict the deployment of disallowed containers.
   • Use the Python Kubernetes API to create the NetworkPolicy manifest.
   • Apply the manifest using the kubectl apply -f command.

Example Python code to delete the pod:

from kubernetes import client, config

# Load the Kubernetes configuration
config.load_kube_config()

# Create a Kubernetes client
api_client = client.CoreV1Api()

# Delete the pod in the identified namespace
api_client.delete_namespaced_pod(name="pod-name", namespace="namespace")

Example NetworkPolicy manifest to restrict disallowed containers:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: disallowed-containers-policy
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          disallowed: "true"
    ports:
    - protocol: TCP
      port: 80

Apply the NetworkPolicy manifest using the kubectl apply -f command:

kubectl apply -f networkpolicy.yaml