Introduction
This article describes deploying OpenClarity onto a BCM managed Kubernetes cluster for the purposes of security auditing and monitoring.
The developer of this tool describes it as:
“OpenClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations and leaked secrets.”
The instructions were developed on BCM 10.25.03 using Kubernetes v1.32.
Prerequisites
- Complete the installation of Kubernetes using the cm-kubernetes-setup tool as described in the administration manual.
- A permission manager is required. This is obtained by answering “yes” to the install permission manager question during the cm-kubernetes-setup process.
- A user with appropriate cluster-wide permissions to run the security audit.
Installation steps
Installation instructions are provided by the OpenClarity developer and are worth reviewing.
Deploy on Kubernetes | OpenClarity
Create a user for OpenClarity in LDAP
# cmsh % user % add secops % set homedirectory /home/secops % set loginshell /bin/bash % commit % quit
Assign the user to Kubernetes
# cm-kubernetes-setup --add-user secops Connecting to CMDaemon Executing 10 stages ################### Starting execution for 'Kubernetes Setup' - kubernetes - docker ## Progress: 0 #### stage: kubernetes: Get Kube Cluster ## Progress: 10 #### stage: kubernetes: Check Permissions User Chart ## Progress: 20 #### stage: kubernetes: Check User ## Progress: 30 #### stage: kubernetes: Check Add User ## Progress: 40 #### stage: kubernetes: Check Namespace Does Not Exist ## Progress: 50 #### stage: kubernetes: Check Cluster Admin Has No Operators ## Progress: 60 #### stage: kubernetes: Deploy user User secops created successfully! ## Progress: 70 #### stage: kubernetes: List Installed Operators ## Progress: 80 #### stage: kubernetes: Update Operator Permissions ## Progress: 90 #### stage: kubernetes: Log Text User added successfully! ## Progress: 100 Took: 00:06 min. Progress: 100/100 ################### Finished execution for 'Kubernetes Setup', status: completed Kubernetes Setup finished!
Install OpenClarity using Helm
On the headnode execute the following commands.
# module load kubernetes # helm install openclarity oci://ghcr.io/openclarity/charts/openclarity --version 1.1.2 --namespace secops-restricted Pulled: ghcr.io/openclarity/charts/openclarity:1.1.2 Digest: sha256:32d00997f9eea56f469f1ffa7a015e26e9895307032a85b5a78e1a9e37261708 NAME: openclarity LAST DEPLOYED: Wed Jun 18 14:53:54 2025 NAMESPACE: secops-restricted STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Thank you for installing OPENCLARITY. Your release is named openclarity. Here is how to access the OpenClarity UI: $ kubectl port-forward --namespace secops-restricted service/openclarity-gateway 8080:80 $ Open OpenClarity UI in the browser: http://localhost:8080/
Allow the pods some time to start. This may be checked with:
# kubectl get pods --namespace secops-restricter NAME READY STATUS RESTARTS AGE openclarity-apiserver-d9d696477-btnrw 1/1 Running 4 (7m50s ago) 9m34s openclarity-exploit-db-server-7d9985864d-gkjrs 1/1 Running 0 9m35s openclarity-freshclam-mirror-6b5cb466bd-5xm6z 1/1 Running 0 9m35s openclarity-gateway-5f5fd9fb47-4jgsv 1/1 Running 0 9m34s openclarity-grype-server-7558cfccb5-w5h8g 1/1 Running 0 9m34s openclarity-postgresql-0 1/1 Running 0 9m34s openclarity-swagger-ui-55bdd6544-nfvk2 1/1 Running 0 9m35s openclarity-trivy-server-587998c6f5-w9ks5 1/1 Running 0 9m35s openclarity-ui-5f64fdd485-t6wpc 1/1 Running 0 9m34s openclarity-uibackend-6bfc97f77c-q22fb 1/1 Running 0 9m34s openclarity-yara-rule-server-689bd54cc5-5vv7k 1/1 Running 0 9m35s
Enable port forwarding to view the dashboard.
$ kubectl port-forward --namespace kubeclarity svc/kubeclarity-kubeclarity 9999:8080 Forwarding from 127.0.0.1:9999 -> 8080 Forwarding from [::1]:9999 -> 8080
You may now access the dashboard by browsing http://localhost:9999/ on the headnode.
It is also possible to use ssh port forwarding to view the dashboard remotely.
ssh root@headnode -L 9999:localhost:9999
The dashboard should appear as below: