KlustAIR Helm chart

Klustair collects all the used images your Kubernetes namespaces and runs a trivy scan on them.

Demo : https://klustair.herokuapp.com/

Related Klustair projects:

• Klustair Frontend to view the scanner results
• Klustair Runner to collect and scan all your used images with trivy

Related opensource projects

• trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts
• kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls
• anchore-engine (DEPRECATED) A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

Screenshots

Finde more screenshots here

Installation

Read the upgrade instructions here

Generate Laravel key

The key consists of 32 random characters

Chose one of the following commands to generate one or copy the Laravel key from https://wwww.keygen.io

dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64

or

date +%s | md5 | base64 | head -c 32 ; echo

of

openssl rand -base64 32

Run a local Kubernetes Cluster with kind

Installation with helm

export RELEASENAME=my-klustair
kind create cluster --config kind.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
kind export kubeconfig --name klustair --kubeconfig ./kubeconfig
helm install $RELEASENAME ./klustair -f ./klustair/values.yaml -n $RELEASENAME --create-namespace --set-file klustair.kubeconfig=./kubeconfig

You should be able now to access your installation via http://local.klustair.com (pointing to 127.0.0.1) or the defined URL in values.yaml.
the Klustair Admin credentials a visible in first Database init run. If you lost your Admin Account or need more Accounts use the “php artisan klustair:user” command on apache or php-fpm pod.

Uninstall

helm list 
helm uninstall $RELEASENAME
kind delete cluster $RELEASENAME

Helm chart repo installation

trivy.repoCredentials and klustair.gcloudCredentials are optional

export RELEASENAME=my-klustair
helm repo add klustair https://klustair.github.io/klustair-helm
helm install \
--set klustairfrontend.url=your.klustair.domain.com \
--set klustairfrontend.appkey=base64:<put your generated Laravel key here> \
--set-file klustair.kubeconfig=/path/to/your/kubeconfig \
--set-file trivy.repoCredentials=/path/to/your/repocredentials.json \
--set-file klustair.gcloudCredentials=/path/to/your/gcloudcredentials.json \
$RELEASENAME klustair/klustair

Update/Configure secrets

Follow this instruction to generate Google Serviceaccount and credentials

https://ahmet.im/blog/authenticating-to-gke-without-gcloud/

export RELEASENAME=$(helm list | grep klustair | awk '{print $1}')
kubectl delete secrets $RELEASENAME-configs
kubectl create secret generic $RELEASENAME-configs \
--from-file=kube.config=/path/to/your/kubeconfig \
--from-file=repo-credentials.json=/path/to/your/repocredentials.json \
--from-file=gcloud-credentials.json=/path/to/your/gcloudcredentials.json

Example credentials

https://github.com/klustair/klustair/blob/master/repo-credentials.json.example

Chart Configuration

You find a full list of all Chart values here:

https://artifacthub.io/packages/helm/klustair/klustair?modal=values-schema