Author: Apurv Singh - firstname.lastname@example.org
Updates (v2): Ash Wilson - email@example.com
This containerized application monitors the /v1/events endpoint in the Halo API, looking for specific events. If a targeted event is matched, the tool will move the workload into the configured quarantine group.
How it works
Targeted events are listed, one per line, in
/conf/target-events. Feel free
to alter the file and rebuild the container, or mount in the config file from a
persistent volume. Event types produced by Halo can be found here:
When the end of the events stream is reached, this tool continue to query
until more events arrive. If you do not set the
environment variable, the tool will start at the beginning of the current day.
The quarantine group is defined with the
variable. If you don't define this environment variable, it is assumed to be
"Quarantine". You should configure the group in your Halo account before you run
this tool. We recommend applying a firewall policy to the group that restricts
all outbound traffic, and only allows inbound traffic from Ghostports users.
- You'll need an account with CloudPassage Halo.
- Make sure that your policies are configured to create events on failure.
- You'll need an administrative (read + write) API key for your Halo account.
- You'll need to have Docker installed.
- Create a quarantine group in your Halo account, with the appropriately restrictive firewall rules.
Using the tool
Clone the code and build the container:
git clone https://github.com/cloudpassage/quarantine cd quarantine docker build -t cloudpassage_quarantine .
Set these environment variables:
|HALO_API_KEY||Halo API key ID (administrative privileges required)|
|HALO_API_SECRET_KEY||Halo API key secret|
|HALO_QUARANTINE_GRP||Halo quarantine group name|
Optionally, define these as well:
|HALO_EVENTS_START||ISO8601 timestamp for starting event|
To run the container interactively (foreground):
docker run -it \ -e HALO_API_KEY=$HALO_API_KEY \ -e HALO_API_SECRET_KEY=$HALO_API_SECRET_KEY \ -e HALO_QUARANTINE_GROUP=$HALO_QUARANTINE_GROUP \ cloudpassage_quarantine
If you want to run quarantine in the background, you can start it like this:
docker run -d \ -e HALO_API_KEY=$HALO_API_KEY \ -e HALO_API_SECRET_KEY=$HALO_API_SECRET_KEY \ -e HALO_QUARANTINE_GROUP=$HALO_QUARANTINE_GROUP \ cloudpassage_quarantine
docker ps to make sure it's running. The container logs will be updated
with the last event's timestamp after every batch runs, so running
docker logs -f CONTAINER_NAME will allow you to watch the quarantine tool's
progress while consuming your events stream.
Optionally, you can add
PATH_TO with the path to the directory enclosing your customized