Giter Club home page Giter Club logo

container-security-operator's Introduction

Container Security Operator

The Container Security Operator (CSO) brings Quay and Clair metadata to Kubernetes / OpenShift. Starting with vulnerability information the scope will get expanded over time. If it runs on OpenShift, the corresponding vulnerability information can be visualized inside the OCP Console. The Container Security Operator enables cluster administrators to monitor known container image vulnerabilites in pods running on their Kubernetes cluster. The controller sets up a watch on pods in the specified namespace(s) and queries the container registry for vulnerability information. If the container registry supports image scanning, such as Quay with Clair, then the Operator will expose any vulnerabilities found via the Kubernetes API in an ImageManifestVuln object. This Operator requires no additional configuration after deployment, and will begin watching pods and populating ImageManifestVulns immediately once installed.

ImageManifestVuln

The security information of scanned images are stored in ImageManifestVulns on an image manifest basis, and are named by the image's manifest digest.

Spec

The spec provides information about the features and its associated vulnarabilities. The spec should be immutable relative to the cluster. When a new vulnerability is added to a feature, the operator will update the spec after the resync threshold.

Status

The status provides information about the affected Pods/Containers. As pod are added or removed from the cluster, their references are added to the affectedPods field of the status block. The status also provide various statistics about the manifest. e.g lastUpdate, highestSeverity, ...

Label Selectors

TODO

Example config

securitylabeller:
  prometheusAddr: "0.0.0.0:8081"
  interval: 15m
  wellknownEndpoint: ".well-known/app-capabilities"
  labelPrefix: secscan
  namespaces:
    - default
    - dev

The same options can be configured from the command line:

./container-security-operator -promAddr ":8081" -resyncInterval "15m" -wellknownEndpoint ".well-known/app-capabilities" -labelPrefix "secscan" -namespace default -namespace test

Deployment

This Operator should be deployed using the Operator Lifecycle Manager (OLM), which takes care of RBAC permissions, dependency resolution, and automatic upgrades.

Kubernetes

This Operator is published upstream on operatorhub.io.

OpenShift

This Operator will be available via OperatorHub.

Development Environment

Running the labeller locally requires a valid kubeconfig. If the kubeconfig flag is omitted, an in-cluster config is assumed.

Install the ImageManifestVuln CRD

make installcrds

Running locally (using ~/.kube/config and example-config.yaml):

make run

To regenerate the CRD code:

# deepcopy
make deepcopy
# openapi
make openapi
# clientset
make clientset
# listers
make listers
# informers
make informers
# generate all
codegen
# generate all in a container
codegen-container

Deploying using OLM

Follow these steps to package and deploy the Operator from local source code using OLM:

  1. Make any code changes to the source code
  2. Build and push Operator container image
$ docker build -t quay.io/<your-namespace>/container-security-operator .
$ docker push quay.io/<your-namespace>/container-security-operator
  1. Change image field in container-security-operator.v1.0.0.clusterserviceversion.yaml to point to your image
  2. Build and push CatalogSource container image
$ cd deploy/
$ docker build -t quay.io/<your-namespace>/cso-catalog .
$ docker push quay.io/<your-namespace>/cso-catalog
  1. Change image field in cso.catalogsource.yaml to point to your image
  2. Create CatalogSource in Kubernetes cluster w/ OLM installed
# Upstream Kubernetes
$ kubectl create -n olm -f deploy/cso.catalogsource.yaml
# OpenShift
$ kubectl create -n openshift-marketplace -f deploy/cso.catalogsource.yaml
  1. After a few seconds, your Operator package should be available to create a Subscription to.
$ kubectl get packagemanifest container-security-operator

Examples

Using kubectl

Get a list of all the pods affected by vulnerable images detected by the Operator:

$ kubectl get imagemanifestvuln --all-namespaces -o json | jq '.items[].status.affectedPods' | jq 'keys' | jq 'unique'

Get a list of all detected CVEs in pods running on the cluster:

$ kubectl get imagemanifestvuln --all-namespaces -o json | jq '[.items[].spec.features[].vulnerabilities[].name'] | jq 'unique'

Check if a pod has any vulnerability, and list the CVEs, if any:

$ kubectl get imagemanifestvulns.secscan.quay.redhat.com --selector=<namespace>/<pod-name> -o jsonpath='{.items[*].spec.features[*].vulnerabilities[*].name}'

container-security-operator's People

Contributors

alecmerdler avatar fduthilleul avatar jjmengze avatar kleesc avatar ribbybibby avatar ricardomaraschini avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.