1. Home
  2. Containers
  3. How do I ensure that the container images I run on my Bright cluster through Kubernetes are secure?
  1. Home
  2. Third Party Software
  3. How do I ensure that the container images I run on my Bright cluster through Kubernetes are secure?
Searching...

How do I ensure that the container images I run on my Bright cluster through Kubernetes are secure?

Contents

Introduction

This article describes deploying KubeClarity onto a Bright-managed Kubernetes cluster for the purposes of security auditing and monitoring.

The developer of this tool describes it as:
“KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans both runtime K8s clusters and CI/CD pipelines for enhanced software supply chain security.”

The instructions were developed on Bright 9.2-7 using Kubernetes 1.2.4. 

Prerequisites

  • Complete the installation of Kubernetes using the cm-kubernetes-setup tool as described in the administration manual.
  • A permission manager is required. This is obtained by answering “yes” to the install permission manager question during the cm-kubernetes-setup process.
  • A user with appropriate cluster-wide permissions to run the security audit.

Installation steps

Installation instructions are provided by the KubeClarity developer and are worth reviewing.
https://github.com/openclarity/kubeclarity#install-kubeclarity-in-a-k8s-cluster-using-helm

Create a user for KubeClarity in LDAP

# cmsh
% user
% add secops
% set homedirectory /home/secops
% set loginshell /bin/bash
% commit
% quit

Assign the user to Kubernetes 

# cm-kubernetes-setup --add-user secops

Connecting to CMDaemon
Executing 10 stages
################### Starting execution for 'Kubernetes Setup'
- kubernetes
- docker
## Progress: 0
#### stage: kubernetes: Get Kube Cluster
## Progress: 10
#### stage: kubernetes: Check Permissions User Chart
## Progress: 20
#### stage: kubernetes: Check User
## Progress: 30
#### stage: kubernetes: Check Add User
## Progress: 40
#### stage: kubernetes: Check Namespace Does Not Exist
## Progress: 50
#### stage: kubernetes: Check Cluster Admin Has No Operators
## Progress: 60
#### stage: kubernetes: Deploy user
User secops created successfully!
## Progress: 70
#### stage: kubernetes: List Installed Operators
## Progress: 80
#### stage: kubernetes: Update Operator Permissions
## Progress: 90
#### stage: kubernetes: Log Text
User added successfully!
## Progress: 100

Took: 00:06 min.
Progress: 100/100
################### Finished execution for 'Kubernetes Setup', status: completed

Kubernetes Setup finished!

Configure secops user with required cluster permissions

# cm-kubernetes-setup --modify-user secops --role cluster-admin

Connecting to CMDaemon
Executing 10 stages
################### Starting execution for 'Kubernetes Setup'
- kubernetes
- docker
## Progress: 0
#### stage: kubernetes: Get Kube Cluster
## Progress: 10
#### stage: kubernetes: Check Permissions User Chart
## Progress: 20
#### stage: kubernetes: Check User
## Progress: 30
#### stage: kubernetes: Check Existing User
## Progress: 40
#### stage: kubernetes: List Installed Operators
## Progress: 50
#### stage: kubernetes: List Existing Operator Perms For User
## Progress: 60
#### stage: kubernetes: Deploy user
## Progress: 70
#### stage: kubernetes: List Installed Operators
## Progress: 80
#### stage: kubernetes: Update Operator Permissions
## Progress: 90
#### stage: kubernetes: Log Text
User configured successfully!
## Progress: 100

Took: 00:32 min.
Progress: 100/100
################### Finished execution for 'Kubernetes Setup', status: completed

Kubernetes Setup finished!

Install KubeClarity using Helm

On the headnode execute the following commands.

# su - secops
# module load kubernetes
# helm repo add kubeclarity https://openclarity.github.io/kubeclarity
# helm show values kubeclarity/kubeclarity > values.yaml
# helm install --values values.yaml --create-namespace kubeclarity kubeclarity/kubeclarity -n kubeclarity

NAME: kubeclarity
LAST DEPLOYED: Wed Nov 23 10:51:10 2022
NAMESPACE: kubeclarity
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Thank you for installing KUBECLARITY.
Your release is named kubeclarity.

Allow the pods some time to start. This may be checked with:

# kubectl get pods --namespace kubeclarity
NAME READY STATUS RESTARTS AGE
kubeclarity-kubeclarity-6864685fd9-gbf68 1/1 Running 0 113s
kubeclarity-kubeclarity-grype-server-6cf5975cd9-62fs8 1/1 Running 0 113s
kubeclarity-kubeclarity-postgresql-0 1/1 Running 0 113s
kubeclarity-kubeclarity-sbom-db-657c688694-sl5sk 1/1 Running 0 113s

Enable port forwarding to view the dashboard.

$ kubectl port-forward --namespace kubeclarity svc/kubeclarity-kubeclarity 9999:8080
Forwarding from 127.0.0.1:9999 -> 8080
Forwarding from [::1]:9999 -> 8080

You may now access the dashboard by browsing http://localhost:9999/ on the headnode.
It is also possible to use ssh port forwarding to view the dashboard remotely.

ssh root@headnode -L 9999:localhost:9999

The dashboard should appear as below:

You may schedule a scan on a namespace by selecting the scan option.

Updated on January 3, 2023

Related Articles

Leave a Comment