k8s物料清单工具——KubeClarity

介绍

KubeClarity是一个用于检测和管理容器镜像和文件系统的软件清单（SBOM）和漏洞的工具。它扫描运行时的K8s集群和CI/CD流水线，以增强软件供应链安全性。

安装

添加 helm 仓库

helm repo add kubeclarity https://openclarity.github.io/kubeclarity

部署

helm install --create-namespace kubeclarity kubeclarity/kubeclarity -n kubeclarity

配置

kubeclarity 有一个配置文件，配置文件中记录了对整个 Kubernetes 集群扫描时所需要的 Job，内容如下：

apiVersion: batch/v1
kind: Job
metadata:
  namespace: ""
  labels:
    app: kubeclarity-scanner
    sidecar.istio.io/inject: "false"
spec:
  backoffLimit: 0
  ttlSecondsAfterFinished: 300
  template:
    metadata:
      labels:
        app: kubeclarity-scanner
        sidecar.istio.io/inject: "false"
    spec:
      nodeSelector:
        kubernetes.io/arch: amd64
        kubernetes.io/os: linux
      restartPolicy: Never
      volumes:
      - name: tmp-volume
        emptyDir: {}
      securityContext:
        fsGroup: 1001
      containers:
      - name: vulnerability-scanner
        image: 'ghcr.io/openclarity/kubeclarity-runtime-k8s-scanner:latest'
        imagePullPolicy: Always
        volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
        args:
        - scan
        - --log-level
        - warning
        env:
        - name: RESULT_SERVICE_ADDR
          value: kubeclarity-kubeclarity.kubeclarity:8888
        - name: SBOM_DB_ADDR
          value: kubeclarity-kubeclarity-sbom-db.kubeclarity:8080
        - name: ANALYZER_LIST
          value: syft gomod
        - name: ANALYZER_SCOPE
          value: squashed
        - name: SCANNERS_LIST
          value: grype
        - name: SCANNER_GRYPE_MODE
          value: REMOTE
        - name: REGISTRY_SKIP_VERIFY_TLS
          value: false
        - name: REGISTRY_USE_HTTP
          value: false
        - name: SCANNER_REMOTE_GRYPE_SERVER_ADDRESS
          value: kubeclarity-kubeclarity-grype-server.kubeclarity:9991
        - name: SCANNER_REMOTE_GRYPE_SERVER_TIMEOUT
          value: 2m
        securityContext:
          capabilities:
            drop:
            - ALL
          runAsNonRoot: true
          runAsGroup: 1001
          runAsUser: 1001
          privileged: false
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        resources:
          limits:
            cpu: 1000m
            memory: 1000Mi
          requests:
            cpu: 50m
            memory: 50Mi
      - name: cis-docker-benchmark-scanner
        image: 'ghcr.io/openclarity/kubeclarity-cis-docker-benchmark-scanner:latest'
        imagePullPolicy: Always
        args:
        - scan
        - --log-level
        - warning
        env:
        - name: RESULT_SERVICE_ADDR
          value: kubeclarity-kubeclarity.kubeclarity:8888
        - name: TIMEOUT
          value: 2m
        - name: REGISTRY_SKIP_VERIFY_TLS
          value: false
        - name: REGISTRY_USE_HTTP
          value: false
        securityContext:
          capabilities:
            drop:
              - ALL
          runAsNonRoot: true
          runAsGroup: 1001
          runAsUser: 1001
          privileged: false
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        resources:
          limits:
            cpu: 1000m
            memory: 1000Mi
          requests:
            cpu: 50m
            memory: 50Mi

使用

kubeclarity 的界面主要分为 Dashboard、Applications、Applications Resources、Package、Vulnerability 和 Scan 界面，用户唯一能操作的地方就是在 Scan 界面中点击扫描或者配置定时扫描任务。下面就为各个板块的截图：