策略引擎>> klustair>> 返回
项目作者: klustair

项目描述 :
Submit all images in your Kubernetes cluster to Anchore for a vulnerability check and check your configuration with kubeaudit
高级语言: Python
项目地址: git://github.com/klustair/klustair.git
创建时间: 2020-05-25T20:38:09Z
项目社区:https://github.com/klustair/klustair
开源协议:Apache License 2.0
下载


KlustAIR Scanner

The Klustair scanner scanns your Kubernetes namespaces for the used images and submits them to Anchore. This is the scanner part.



INFORMATION
This runner is deprecated in favor of the new klustair-cli. For Klustair newer than v0.6.0 please use the klustair-cli written in GO.



Related Klustair projects:

  • trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts
  • (DEPRECATED) anchore-engine A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
  • kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls

Requirements

  • Python 3
  • Running Anchore (See docker-compose-anchore.yaml)

Usage

  1. usage: runner.py [-h] [-v] [-n NAMESPACES] [-N NAMESPACESBLACKLIST]
  2.                  [-k KUBEAUDIT] [-l LABEL] [-a] [-t] [-c TRIVYCREDENTIALS]
  4. optional arguments:
  5.   -h, --help            show this help message and exit
  6.   -v, --verbose         increase output verbosity
  7.   -n NAMESPACES, --namespaces NAMESPACES
  8.                         Coma separated whitelist of Namespaces to check
  9.   -N NAMESPACESBLACKLIST, --namespacesblacklist NAMESPACESBLACKLIST
  10.                         Coma separated blacklist of Namespaces to skip
  11.   -k KUBEAUDIT, --kubeaudit KUBEAUDIT
  12.                         Coma separated list of audits to run. default: 'all',
  13.                         disable: 'none'
  14.   -l LABEL, --label LABEL
  15.                         A optional title for your run
  16.   -a, --anchore         Run Anchore vulnerability checks
  17.   -t, --trivy           Run Trivy vulnerability checks
  18.   -c TRIVYCREDENTIALSPATH, --trivycredentialspath TRIVYCREDENTIALSPATH
  19.                         Path to repo credentials for trivy
  20.   -ld LIMITDATE, --limitDate LIMITDATE
  21.                         Remove reports older than X days
  22.   -ln LIMITNR, --limitNr LIMITNR
  23.                         Keep only X reports
  24.   -C CONFIGKEY, --limitNr CONFIGKEY
  25.                         Load remote configuration from frontend
  26.   -H APIHOST, --limitNr APIHOST
  27.                         Remote API-host address [example: https://localhost:8443]

ENV vars

  1. export KLUSTAIR_NAMESPACES=
  2. export KLUSTAIR_NAMESPACEBLACKLIST=
  3. export KLUSTAIR_KUBEAUDIT=
  4. export KLUSTAIR_TRIVYCREDENTIALSPATH=

Run in Docker

  1. cp .env.example .env
  2. vim .env
  3. docker-compose up -d

or 

  1. docker-compose up -d -e PATH_LOCAL_KUBECONFIG=~/.kube/config

Start Anchore locally

  1. curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose-anchore.yaml
  2. docker-compose -f docker-compose-anchore.yaml up -d

develop

  1. python3 -m venv env
  2. source env/bin/activate
  3. pip install -r requirements.txt
  5. deactivate

build

  1. cp .env.example .env
  2. vim .env
  3. docker compose build

or

  1. docker compose build