Skip to content

Latest commit

 

History

History
65 lines (50 loc) · 2.93 KB

README.md

File metadata and controls

65 lines (50 loc) · 2.93 KB

anchore-engine

Deploying anchore-engine using Kubernetes

K8s postgres

Anchore is a service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

🔹 Anchore engine architecture - from Sysdig kubernetes security guide:

Anchore Engine architecture is comprised of six components that can either be deployed ina single container or scaled out:

  1. API Service: Central communication interface that can be accessed by code, using a REST API, or directly, using the command line.
  2. Image Analyzer Service: Executed by the “worker”, these Anchore nodes perform the actual Docker image scanning.
  3. Catalog Service: Internal database and system state service.
  4. Queuing Service: Organizes, persists and schedules the engine tasks.
  5. Policy Engine Service: Policy evaluation and vulnerabilities matching rules.
  6. Kubernetes Webhook Service: Kubernetes-specific webhook service to validate images before they are spawned.

Anchore-architecture

How image scanning tools work:

  • Image scanning tools extract the image file then looks for all available packages and libraries.
  • The version of these packages and libraries is compared against the vulnerability DB.
  • If any package version matches with any of the CVE descriptions in the DB then a vulnerability within the image is reported.

🔹 Deploy anchore engine:

# Clone the repo 
git clone https://github.com/theJaxon/anchore-engine.git

# Apply the defined yaml files 
k apply -f anchore-engine/anchore/

🔴 for the persistent volume i rely on dynamic provisioning provided by local-path-provisioner

kubectl apply -f https://raw.githubusercontent.com/rancher/local-path-provisioner/master/deploy/local-path-storage.yaml

🔹 Install anchore-cli:

apt-get install python3-pip
pip3 install anchorecli

# Make ~/.local/bin part of the PATH or export it using
export PATH="$HOME/.local/bin/:$PATH"

🔹 Interact with anchore using the CLI:

  1. Get the IP address of the api service
api_ip=http://$(k get svc -l app=api -ojsonpath='{.items[0].spec.clusterIP}'):8228
  1. Add an image to the engine using the pre-defined credentials
anchore-cli --u admin --p foobar --url $api_ip image add ubuntu

# Wait for analysis to start 
anchore-cli image wait ubuntu

# Get image overview
anchore-cli image get ubuntu