Code Monkey home page Code Monkey logo

anchore-image-validator's Introduction

Go Report Card license Docker Automated build

Anchore Image Validator

Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.

This repository contains an admission webhook server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.

  • If an image is not valid, the release can be added to a whitelist resource (CRD) to bypass the blocking.
  • The results of image checks are stored as an audit resource (CRD) in a sructured format.

Installing

Helm install

Install from banzaicloud-stable repository

Add repository

$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
$ helm repo update

Install chart

$ helm install --set externalAnchore.anchoreHost=<my.anchore.host>  --set externalAnchore.anchoreUser=<username> --set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validator

Manual install

For manual install you need to define the following environment variables

ENV Descripton
ANCHORE_ENGINE_USERNAME Anchore-engine username
ANCHORE_ENGINE_PASSWORD Anchore-engine password
ANCHORE_ENGINE_URL Anchore-engine URL

Accessing banzaicloud security features via Kubernetes api:

$ curl http://<k8s apiserver>/apis/security.banzaicloud.com/v1alpha1
{
  "kind": "APIResourceList",
  "apiVersion": "v1",
  "groupVersion": "security.banzaicloud.com/v1alpha1",
  "resources": [
    {
      "name": "whitelistitems",
      "singularName": "whitelistitem",
      "namespaced": false,
      "kind": "WhiteListItem",
      "verbs": [ ... ],
      "shortNames": [
        "wl"
      ]
    },
    {
      "name": "audits",
      "singularName": "audit",
      "namespaced": false,
      "kind": "Audit",
      "verbs": [ ... ]
    }
  ]
}

Resources accessible via kubectl command:

$ kubectl get whitelist
$ kubectl get audit

Example whitelist:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  WhiteListItem
metadata:
  name: <name of helm release>
spec:
  reason: <whitelisting reason>
  creator: <creator>
  [regexp:] <optional>

Example audit:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  Audit
metadata:
  name: <name of audit (generated from Pod OwnerReference)>
  ownerReferences:
  - <scanned Pod OwnerReference>
spec:
  releaseName: <helm release name>
  resource: pod
  image:
    - imageName": "docker.io/image-name1",
      imageTag": "latest",
      imageDigest": "sha256:abcd1",
      lastUpdated": "2018-11-11T14:35:38Z"
    - imageName": "docker.io/image-name2",
      imageTag": "latest",
      imageDigest": "sha256:abcd2",
      lastUpdated": "2018-11-11T14:35:38Z"
  result:
    - <docker.io/image-name1 scan result>
    - <docker.io/image-name1 scan result>
  action: <allow or reject>
status:
  [state:] <optional>

anchore-image-validator's People

Contributors

ahma avatar asdwsda avatar bonifaido avatar dependabot[bot] avatar matyix avatar orymate avatar pbalogh-sa avatar pregnor avatar sagikazarmark avatar sancyx avatar tarokkk avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar

anchore-image-validator's Issues

Fix scanlog edge case

When new image scan is initiated and deployment is already whitelisted, scanlog image detail fields are empty.

Check imagePullPolicy before pre-check

Is your feature request related to a problem? Please describe.
Before getting the images based on the tag, the imagePullPolicy should be checked. ( related issues: #70 )

Incorrect parsing of images in CheckImage

Incorrect parsing of images in CheckImage

The parsing of an image tag is by the CheckImage function in ./pkg/anchore/client.go is incorrect when the port number is specified for a registry.

For exemple if the image name is:

myregistry.example.com:5000/myrepo/myimage:mytag

Then the parsed image name will be:

myregistry.example.com

instead of:

myregistry.example.com:5000/myrepo/myimage

and the parsed tag will be

5000

instead of

mytag

I am also suspecting that if the image name specifies the image digest, then the parsing will also be incorrect (but I have not tested it yet).

Exemple:

myregistry.example.com/myrepo/myimage@sha256:d004d...35a2

Steps to reproduce the issue:

Try to validate an image hosted on a registry running on a non-standard port or specified with a digest.

Expected behavior

Maybe this could help doing the proper parsing:

Create admission hook audit log via custom resource definition

To track changes and create a usable event log we decided to store this information in custom resource.

Custom respurce name: TODO

Content:

Name Type Description Default
release-name string Scanned release empty
resource string Scanned resource (Pod) empty
image string Scanned image empty
result sring Scan result empty
action string Admission action (allow, reject) empty

Implement precheck against analysis status

Describe the bug
If a deployment is scaled out for a large number of pods, sending images to scan will take a long time.

Steps to reproduce the issue:
In a test deployment set replicas to 100

Expected behavior
Shorten the response time of the anchore-engine using a precheck.

Additional context
If an image is sent to analysis, the anchore-engine puts it in the queue and it will affect response time. Using the precheck the queue will be skipped.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.