klustair / klustair-helm Goto Github PK

Helm chart do deploy klustair with anchore

License: Apache License 2.0

Shell 5.01% Mustache 94.99%

helm kubernetes security vulnerability-scanners

klustair-helm's Introduction

KlustAIR Scanner

The Klustair scanner scanns your Kubernetes namespaces for the used images and submits them to Anchore. This is the scanner part.

INFORMATION This runner is deprecated in favor of the new klustair-cli. For Klustair newer than v0.6.0 please use the klustair-cli written in GO.

Related Klustair projects:

Klustair Frontend to view the scanner results
Klustair Helm charts to spin up Anchore and Klustair

Related opensource projects

trivy A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts
(DEPRECATED) anchore-engine A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
kubeaudit kubeaudit helps you audit your Kubernetes clusters against common security controls

Requirements

Python 3
Running Anchore (See docker-compose-anchore.yaml)

Usage

usage: runner.py [-h] [-v] [-n NAMESPACES] [-N NAMESPACESBLACKLIST]
                 [-k KUBEAUDIT] [-l LABEL] [-a] [-t] [-c TRIVYCREDENTIALS]

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         increase output verbosity
  -n NAMESPACES, --namespaces NAMESPACES
                        Coma separated whitelist of Namespaces to check
  -N NAMESPACESBLACKLIST, --namespacesblacklist NAMESPACESBLACKLIST
                        Coma separated blacklist of Namespaces to skip
  -k KUBEAUDIT, --kubeaudit KUBEAUDIT
                        Coma separated list of audits to run. default: 'all',
                        disable: 'none'
  -l LABEL, --label LABEL
                        A optional title for your run
  -a, --anchore         Run Anchore vulnerability checks
  -t, --trivy           Run Trivy vulnerability checks
  -c TRIVYCREDENTIALSPATH, --trivycredentialspath TRIVYCREDENTIALSPATH
                        Path to repo credentials for trivy
  -ld LIMITDATE, --limitDate LIMITDATE
                        Remove reports older than X days
  -ln LIMITNR, --limitNr LIMITNR
                        Keep only X reports
  -C CONFIGKEY, --limitNr CONFIGKEY
                        Load remote configuration from frontend
  -H APIHOST, --limitNr APIHOST
                        Remote API-host address [example: https://localhost:8443]

ENV vars

export KLUSTAIR_NAMESPACES=
export KLUSTAIR_NAMESPACEBLACKLIST=
export KLUSTAIR_KUBEAUDIT=
export KLUSTAIR_TRIVYCREDENTIALSPATH=

Run in Docker

cp .env.example .env
vim .env
docker-compose up -d

docker-compose up -d -e PATH_LOCAL_KUBECONFIG=~/.kube/config

Start Anchore locally

curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose-anchore.yaml
docker-compose -f docker-compose-anchore.yaml up -d

develop

python3 -m venv env
source env/bin/activate
pip install -r requirements.txt

deactivate

build

cp .env.example .env
vim .env
docker compose build

docker compose build

klustair-helm's People

Contributors

Stargazers

Watchers

Forkers

mmz-srf mkilchhofer christianhuth hugodopradofernandes

klustair-helm's Issues

Wrong tag for frontend

Current release of the Chart (0.8.1) tries to deploy v0.8.1 (=image.tag) of klustair-frontend instead of v0.8.0 (=image.tagFrontend).

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  84s                default-scheduler  Successfully assigned security/klustair-frontend-5f7c956547-p2w6f to k8s4p
  Normal   Pulling    44s (x3 over 83s)  kubelet            Pulling image "klustair/klustair-frontend:v0.8.1-php-fpm"
  Warning  Failed     42s (x3 over 82s)  kubelet            Failed to pull image "klustair/klustair-frontend:v0.8.1-php-fpm": rpc error: code = Unknown desc = Error response from daemon: manifest for klustair/klustair-frontend:v0.8.1-php-fpm not found: manifest unknown: manifest unknown
  Warning  Failed     42s (x3 over 82s)  kubelet            Error: ErrImagePull
  Normal   BackOff    4s (x5 over 81s)   kubelet            Back-off pulling image "klustair/klustair-frontend:v0.8.1-php-fpm"
  Warning  Failed     4s (x5 over 81s)   kubelet            Error: ImagePullBackOff

How to use klustair behing ingress using subpath /klustair?

How to use klustair behing ingress using subpath /klustair?
The closest I got was this one, that returns unformated page and all links point to / not /klustair

Ingress config:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
  name: ingress-klustair
  namespace: klustair-scan
spec:
  rules:
  - http:
      paths:
      - backend:
          service:
            name: klustair-app-frontend
            port:
              number: 80
        path: /klustair(/|$)(.*)
        pathType: Prefix

Change the default image value for 0.2.4 on helm chart

Change the default image value for 0.2.4 on helm chart
image.tag=v0.2.4

Current value is still 0.2.2

Problem deploying on Kubernetes >1.15

Since the Anchore-Engine is currently not able to be deployed via the stable chart on an kubernetes cluster >1.15, this helm chart wont be able too.

See for more informations and updates here:

anchore/anchore-charts#16
helm/charts#19330

Add RBAC support for job

Add ability to run kubeaudit scan on the cluster using RBAC to provide required permissions

repoCredentials should not be set by default if not using private repo

repoCredentials should not be set by default if not using private repo, otherwise it fails:

INFO: Load Pod an Container informations
klustair-runnerjob
INFO: Load trivy Vulnerabilities
klustair-runnerjob
Traceback (most recent call last):
klustair-runnerjob
File "./runner.py", line 841, in
klustair-runnerjob
run()
klustair-runnerjob
File "./runner.py", line 783, in run
klustair-runnerjob
[imageTrivyVulnList, imageTrivyVulnSummary] = getImageTrivyVulnerabilities(uniqueImagesList, repoCredentials)
klustair-runnerjob
File "./runner.py", line 285, in getImageTrivyVulnerabilities
klustair-runnerjob
addCredentials(image['fulltag'], repoCredentials)
klustair-runnerjob
File "./runner.py", line 221, in addCredentials
klustair-runnerjob
for credential, credentialData in repoCredentials.items():
klustair-runnerjob
AttributeError: 'str' object has no attribute 'items'

Issue solved by deleting the repoCredentials line from secret. I'm not using private repo right now.
repoCredentials must only have values if explicitly specified with helm --set command

Add an option to skip Ingress deployment

Describe the bug
Ingress config from this chart is using deprecated values, what cause the installation to fail when using ArgoCD. I downloaded the chart, deleted the ingress deploy file, installed from this local downloaded chart and it worked.

Version/Container Tag
0.8.0

Additional context
Add any other context about the problem here.

Unable to disable trivy scans

trivy.enabled variable exists but it is not used to disable scans

missing rbac permissions

I'm running the release v.0.8.0 with the following values:

klustairJob:
  namespaces: ""
  rbac:
    create: true
  serviceAccount:
    create: true

I receive the following error in the jobs-logs:
services is forbidden: User \"system:serviceaccount:security:klustair-job\" cannot list resource \"services\" in API group \"\" in the namespace \"security\"
jobs.batch is forbidden: User \"system:serviceaccount:security:klustair-job\" cannot list resource \"jobs\" in API group \"batch\" in the namespace \"security\"

serviceAccount is not created when missing value.

serviceAccount is not created when missing value on helm install command. It's not being created using the template name as documented.
When passing a value it works
v0.2.6

Error: values don't meet the specifications of the schema(s) in the following chart(s)

$ helm install klustair-app klustair/klustair -n klustair-scan
Error: values don't meet the specifications of the schema(s) in the following chart(s):
klustair:
EOF

Happens on last commit:
516d5bb