banzaicloud / anchore-image-validator Goto Github PK
View Code? Open in Web Editor NEWAnchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
License: Apache License 2.0
Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.
License: Apache License 2.0
Substring matching is used on whitelisted image names instead of full-string match.
anchore-image-validator/cmd/handler.go
Line 80 in bf98062
MatchString reports whether the string s contains any match of the regular expression re.
Should surround with ^(
/)$
To track changes and create a usable event log we decided to store this information in custom resource.
Custom respurce name: TODO
Content:
Name | Type | Description | Default |
---|---|---|---|
release-name | string | Scanned release | empty |
resource | string | Scanned resource (Pod) | empty |
image | string | Scanned image | empty |
result | sring | Scan result | empty |
action | string | Admission action (allow, reject) | empty |
When new image scan is initiated and deployment is already whitelisted, scanlog image detail fields are empty.
Is your feature request related to a problem? Please describe.
Instead of the implemented anchore-engine client inside the project use https://github.com/anchore/client-go
Webhook should run as nobody.
It would be better if webhook used unprivileged port.
ValidatingWebhookConfiguration should be created by image-validator instead of helm.
Describe the bug
If a deployment is scaled out for a large number of pods, sending images to scan will take a long time.
Steps to reproduce the issue:
In a test deployment set replicas to 100
Expected behavior
Shorten the response time of the anchore-engine using a precheck.
Additional context
If an image is sent to analysis, the anchore-engine puts it in the queue and it will affect response time. Using the precheck the queue will be skipped.
Is your feature request related to a problem? Please describe.
The default policy creator K8s kob isn't necessary after banzaicloud/pipeline#3166 is merged.
Describe the solution you'd like to see
The chart shouldn't deploy the default policy creator job by default.
It would be deployed depending on a flag.
Incorrect parsing of images in CheckImage
The parsing of an image tag is by the CheckImage function in ./pkg/anchore/client.go is incorrect when the port number is specified for a registry.
For exemple if the image name is:
myregistry.example.com:5000/myrepo/myimage:mytag
Then the parsed image name will be:
myregistry.example.com
instead of:
myregistry.example.com:5000/myrepo/myimage
and the parsed tag will be
5000
instead of
mytag
I am also suspecting that if the image name specifies the image digest, then the parsing will also be incorrect (but I have not tested it yet).
Exemple:
myregistry.example.com/myrepo/myimage@sha256:d004d...35a2
Steps to reproduce the issue:
Try to validate an image hosted on a registry running on a non-standard port or specified with a digest.
Expected behavior
Maybe this could help doing the proper parsing:
Is your feature request related to a problem? Please describe.
Before getting the images based on the tag, the imagePullPolicy should be checked. ( related issues: #70 )
It should be fixed in both anchore-image-validator and pipleine.
This issue was automatically created by Allstar.
Security Policy Violation
Dismiss stale reviews not configured for branch master
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.