介绍
KubeClarity是一个用于检测和管理容器镜像和文件系统的软件清单(SBOM)和漏洞的工具。它扫描运行时的K8s集群和CI/CD流水线,以增强软件供应链安全性。
安装
添加 helm 仓库
bash
helm repo add kubeclarity https://openclarity.github.io/kubeclarity部署
bash
helm install --create-namespace kubeclarity kubeclarity/kubeclarity -n kubeclarity配置
kubeclarity 有一个配置文件,配置文件中记录了对整个 Kubernetes 集群扫描时所需要的 Job,内容如下:
yaml
apiVersion: batch/v1
kind: Job
metadata:
namespace: ""
labels:
app: kubeclarity-scanner
sidecar.istio.io/inject: "false"
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 300
template:
metadata:
labels:
app: kubeclarity-scanner
sidecar.istio.io/inject: "false"
spec:
nodeSelector:
kubernetes.io/arch: amd64
kubernetes.io/os: linux
restartPolicy: Never
volumes:
- name: tmp-volume
emptyDir: {}
securityContext:
fsGroup: 1001
containers:
- name: vulnerability-scanner
image: 'ghcr.io/openclarity/kubeclarity-runtime-k8s-scanner:latest'
imagePullPolicy: Always
volumeMounts:
- mountPath: /tmp
name: tmp-volume
args:
- scan
- --log-level
- warning
env:
- name: RESULT_SERVICE_ADDR
value: kubeclarity-kubeclarity.kubeclarity:8888
- name: SBOM_DB_ADDR
value: kubeclarity-kubeclarity-sbom-db.kubeclarity:8080
- name: ANALYZER_LIST
value: syft gomod
- name: ANALYZER_SCOPE
value: squashed
- name: SCANNERS_LIST
value: grype
- name: SCANNER_GRYPE_MODE
value: REMOTE
- name: REGISTRY_SKIP_VERIFY_TLS
value: false
- name: REGISTRY_USE_HTTP
value: false
- name: SCANNER_REMOTE_GRYPE_SERVER_ADDRESS
value: kubeclarity-kubeclarity-grype-server.kubeclarity:9991
- name: SCANNER_REMOTE_GRYPE_SERVER_TIMEOUT
value: 2m
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsGroup: 1001
runAsUser: 1001
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 50m
memory: 50Mi
- name: cis-docker-benchmark-scanner
image: 'ghcr.io/openclarity/kubeclarity-cis-docker-benchmark-scanner:latest'
imagePullPolicy: Always
args:
- scan
- --log-level
- warning
env:
- name: RESULT_SERVICE_ADDR
value: kubeclarity-kubeclarity.kubeclarity:8888
- name: TIMEOUT
value: 2m
- name: REGISTRY_SKIP_VERIFY_TLS
value: false
- name: REGISTRY_USE_HTTP
value: false
securityContext:
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsGroup: 1001
runAsUser: 1001
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
resources:
limits:
cpu: 1000m
memory: 1000Mi
requests:
cpu: 50m
memory: 50Mi使用
kubeclarity 的界面主要分为 Dashboard、Applications、Applications Resources、Package、Vulnerability 和 Scan 界面,用户唯一能操作的地方就是在 Scan 界面中点击扫描或者配置定时扫描任务。下面就为各个板块的截图:
