1. Home
  2. Containers
  3. How do I ensure that the container images I run on my BCM cluster through Kubernetes are secure?

How do I ensure that the container images I run on my BCM cluster through Kubernetes are secure?

Introduction

This article describes deploying OpenClarity onto a BCM managed Kubernetes cluster for the purposes of security auditing and monitoring.

The developer of this tool describes it as:
“OpenClarity is an open source tool for agentless detection and management of Virtual Machine Software Bill Of Materials (SBOM) and security threats such as vulnerabilities, exploits, malware, rootkits, misconfigurations and leaked secrets.”

The instructions were developed on BCM 10.25.03 using Kubernetes v1.32. 

Prerequisites

  • Complete the installation of Kubernetes using the cm-kubernetes-setup tool as described in the administration manual.
  • A permission manager is required. This is obtained by answering “yes” to the install permission manager question during the cm-kubernetes-setup process.
  • A user with appropriate cluster-wide permissions to run the security audit.

Installation steps

Installation instructions are provided by the OpenClarity developer and are worth reviewing.
Deploy on Kubernetes | OpenClarity

Create a user for OpenClarity in LDAP

# cmsh
% user
% add secops
% set homedirectory /home/secops
% set loginshell /bin/bash
% commit
% quit

Assign the user to Kubernetes 

# cm-kubernetes-setup --add-user secops

Connecting to CMDaemon
Executing 10 stages
################### Starting execution for 'Kubernetes Setup'
- kubernetes
- docker
## Progress: 0
#### stage: kubernetes: Get Kube Cluster
## Progress: 10
#### stage: kubernetes: Check Permissions User Chart
## Progress: 20
#### stage: kubernetes: Check User
## Progress: 30
#### stage: kubernetes: Check Add User
## Progress: 40
#### stage: kubernetes: Check Namespace Does Not Exist
## Progress: 50
#### stage: kubernetes: Check Cluster Admin Has No Operators
## Progress: 60
#### stage: kubernetes: Deploy user
User secops created successfully!
## Progress: 70
#### stage: kubernetes: List Installed Operators
## Progress: 80
#### stage: kubernetes: Update Operator Permissions
## Progress: 90
#### stage: kubernetes: Log Text
User added successfully!
## Progress: 100

Took: 00:06 min.
Progress: 100/100
################### Finished execution for 'Kubernetes Setup', status: completed

Kubernetes Setup finished!

Install OpenClarity using Helm

On the headnode execute the following commands.

# module load kubernetes
# helm install openclarity oci://ghcr.io/openclarity/charts/openclarity --version 1.1.2 --namespace secops-restricted

Pulled: ghcr.io/openclarity/charts/openclarity:1.1.2
Digest: sha256:32d00997f9eea56f469f1ffa7a015e26e9895307032a85b5a78e1a9e37261708
NAME: openclarity
LAST DEPLOYED: Wed Jun 18 14:53:54 2025
NAMESPACE: secops-restricted
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing OPENCLARITY.

Your release is named openclarity.

Here is how to access the OpenClarity UI:

$ kubectl port-forward --namespace secops-restricted service/openclarity-gateway 8080:80
$ Open OpenClarity UI in the browser: http://localhost:8080/

Allow the pods some time to start. This may be checked with:

# kubectl get pods --namespace secops-restricter
NAME READY STATUS RESTARTS AGE
openclarity-apiserver-d9d696477-btnrw 1/1 Running 4 (7m50s ago) 9m34s
openclarity-exploit-db-server-7d9985864d-gkjrs 1/1 Running 0 9m35s
openclarity-freshclam-mirror-6b5cb466bd-5xm6z 1/1 Running 0 9m35s
openclarity-gateway-5f5fd9fb47-4jgsv 1/1 Running 0 9m34s
openclarity-grype-server-7558cfccb5-w5h8g 1/1 Running 0 9m34s
openclarity-postgresql-0 1/1 Running 0 9m34s
openclarity-swagger-ui-55bdd6544-nfvk2 1/1 Running 0 9m35s
openclarity-trivy-server-587998c6f5-w9ks5 1/1 Running 0 9m35s
openclarity-ui-5f64fdd485-t6wpc 1/1 Running 0 9m34s
openclarity-uibackend-6bfc97f77c-q22fb 1/1 Running 0 9m34s
openclarity-yara-rule-server-689bd54cc5-5vv7k 1/1 Running 0 9m35s

Enable port forwarding to view the dashboard.

$ kubectl port-forward --namespace kubeclarity svc/kubeclarity-kubeclarity 9999:8080
Forwarding from 127.0.0.1:9999 -> 8080
Forwarding from [::1]:9999 -> 8080

You may now access the dashboard by browsing http://localhost:9999/ on the headnode.
It is also possible to use ssh port forwarding to view the dashboard remotely.

ssh root@headnode -L 9999:localhost:9999

The dashboard should appear as below:

 

 

Updated on June 27, 2025

Related Articles

Leave a Comment