Sahara云大数据>> anchore-image-validator>> 返回
项目作者: banzaicloud

项目描述 :
Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
高级语言: Go
项目地址: git://github.com/banzaicloud/anchore-image-validator.git
创建时间: 2018-09-14T13:30:49Z
项目社区:https://github.com/banzaicloud/anchore-image-validator
开源协议:Apache License 2.0
下载


Go Report Card
license
Docker Automated build

Anchore Image Validator

Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.

This repository contains an admission webhook server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.

  • If an image is not valid, the release can be added to a whitelist resource (CRD) to bypass the blocking.
  • The results of image checks are stored as an audit resource (CRD) in a sructured format.

Installing

Helm install

Install from banzaicloud-stable repository

Add repository

  1. $ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
  2. $ helm repo update

Install chart

  1. $ helm install --set externalAnchore.anchoreHost=<my.anchore.host>  --set externalAnchore.anchoreUser=<username> --set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validator

Manual install

For manual install you need to define the following environment variables

ENV Descripton
ANCHORE_ENGINE_USERNAME Anchore-engine username
ANCHORE_ENGINE_PASSWORD Anchore-engine password
ANCHORE_ENGINE_URL Anchore-engine URL

Accessing banzaicloud security features via Kubernetes api:

  1. $ curl http://<k8s apiserver>/apis/security.banzaicloud.com/v1alpha1
  1. {
  2.   "kind": "APIResourceList",
  3.   "apiVersion": "v1",
  4.   "groupVersion": "security.banzaicloud.com/v1alpha1",
  5.   "resources": [
  6.     {
  7.       "name": "whitelistitems",
  8.       "singularName": "whitelistitem",
  9.       "namespaced": false,
  10.       "kind": "WhiteListItem",
  11.       "verbs": [ ... ],
  12.       "shortNames": [
  13.         "wl"
  14.       ]
  15.     },
  16.     {
  17.       "name": "audits",
  18.       "singularName": "audit",
  19.       "namespaced": false,
  20.       "kind": "Audit",
  21.       "verbs": [ ... ]
  22.     }
  23.   ]
  24. }

Resources accessible via kubectl command:

  1. $ kubectl get whitelist
  2. $ kubectl get audit

Example whitelist:

  1. apiVersion: security.banzaicloud.com/v1alpha1
  2. kind:  WhiteListItem
  3. metadata:
  4.   name: <name of helm release>
  5. spec:
  6.   reason: <whitelisting reason>
  7.   creator: <creator>
  8.   [regexp:] <optional>

Example audit:

  1. apiVersion: security.banzaicloud.com/v1alpha1
  2. kind:  Audit
  3. metadata:
  4.   name: <name of audit (generated from Pod OwnerReference)>
  5.   ownerReferences:
  6.   - <scanned Pod OwnerReference>
  7. spec:
  8.   releaseName: <helm release name>
  9.   resource: pod
  10.   image:
  11.     - imageName": "docker.io/image-name1",
  12.       imageTag": "latest",
  13.       imageDigest": "sha256:abcd1",
  14.       lastUpdated": "2018-11-11T14:35:38Z"
  15.     - imageName": "docker.io/image-name2",
  16.       imageTag": "latest",
  17.       imageDigest": "sha256:abcd2",
  18.       lastUpdated": "2018-11-11T14:35:38Z"
  19.   result:
  20.     - <docker.io/image-name1 scan result>
  21.     - <docker.io/image-name1 scan result>
  22.   action: <allow or reject>
  23. status:
  24.   [state:] <optional>