anchore-image-validator

module

v0.0.0-...-1dc87c9 Latest Latest Go to latest Published: Jan 25, 2023 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/banzaicloud/anchore-image-validator

Links

Open Source Insights

README ¶

Anchore Image Validator

Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.

This repository contains an admission webhook server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.

If an image is not valid, the release can be added to a whitelist resource (CRD) to bypass the blocking.
The results of image checks are stored as an audit resource (CRD) in a sructured format.

Installing

Helm install

Install from banzaicloud-stable repository

Add repository

$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
$ helm repo update

Install chart

$ helm install --set externalAnchore.anchoreHost=<my.anchore.host>  --set externalAnchore.anchoreUser=<username> --set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validator

Manual install

For manual install you need to define the following environment variables

ENV	Descripton
ANCHORE_ENGINE_USERNAME	Anchore-engine username
ANCHORE_ENGINE_PASSWORD	Anchore-engine password
ANCHORE_ENGINE_URL	Anchore-engine URL

Accessing banzaicloud security features via Kubernetes api:

$ curl http://<k8s apiserver>/apis/security.banzaicloud.com/v1alpha1

{
  "kind": "APIResourceList",
  "apiVersion": "v1",
  "groupVersion": "security.banzaicloud.com/v1alpha1",
  "resources": [
    {
      "name": "whitelistitems",
      "singularName": "whitelistitem",
      "namespaced": false,
      "kind": "WhiteListItem",
      "verbs": [ ... ],
      "shortNames": [
        "wl"
      ]
    },
    {
      "name": "audits",
      "singularName": "audit",
      "namespaced": false,
      "kind": "Audit",
      "verbs": [ ... ]
    }
  ]
}

Resources accessible via `kubectl` command:

$ kubectl get whitelist
$ kubectl get audit

Example whitelist:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  WhiteListItem
metadata:
  name: <name of helm release>
spec:
  reason: <whitelisting reason>
  creator: <creator>
  [regexp:] <optional>

Example audit:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  Audit
metadata:
  name: <name of audit (generated from Pod OwnerReference)>
  ownerReferences:
  - <scanned Pod OwnerReference>
spec:
  releaseName: <helm release name>
  resource: pod
  image:
    - imageName": "docker.io/image-name1",
      imageTag": "latest",
      imageDigest": "sha256:abcd1",
      lastUpdated": "2018-11-11T14:35:38Z"
    - imageName": "docker.io/image-name2",
      imageTag": "latest",
      imageDigest": "sha256:abcd2",
      lastUpdated": "2018-11-11T14:35:38Z"
  result:
    - <docker.io/image-name1 scan result>
    - <docker.io/image-name1 scan result>
  action: <allow or reject>
status:
  [state:] <optional>

Directories ¶

Path	Synopsis
cmd
internal
app
log
pkg
anchore
apis/security/v1alpha1

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL