Lab 4: Image Scanning
Deploy Clair
In this chapter we will deploy the Clair image scanner and scan an example image.
Clair is an open source project for the static analysis of vulnerabilities in application containers (currently including appc and docker).
- In regular intervals, Clair ingests vulnerability metadata from a configured set of sources and stores it in the database.
- Clients use the Clair API to index their container images; this creates a list of features present in the image and stores them in the database.
- Clients use the Clair API to query the database for vulnerabilities of a particular image; correlating vulnerabilities and features is done for each request, avoiding the need to rescan images.
- When updates to vulnerability metadata occur, a notification can be sent to alert systems that a change has occurred.
To make things easier we will use the Klar command line tool to interact with the Clair engine.
Install the Klar command line tool
#Linux
wget https://github.com/optiopay/klar/releases/download/v2.4.0/klar-2.4.0-linux-amd64
sudo chmod +x klar-2.4.0-linux-amd64
sudo mv klar-2.4.0-linux-amd64 /usr/local/bin/klar
#Mac
wget https://github.com/optiopay/klar/releases/download/v2.4.0/klar-2.4.0-osx-amd64
sudo chmod +x klar-2.4.0-osx-amd64
sudo mv klar-2.4.0-osx-amd64 /usr/local/bin/klar
Deploy Clair into the Kubernetes Cluster
-
Go to the directory with the clair resources
cd ~/training/clair``
-
Create the Secret that holds the Clair configuration
kubectl create secret generic clairsecret --from-file=./config.yaml > from-file=./config.yaml > secret/clairsecret created``
-
Deploy Clair
kubectl create -f clair-kubernetes.yaml > service/clairsvc created > replicationcontroller/clair created > replicationcontroller/clair-postgres created > service/postgres created``
-
Wait for Clair to be running (Ready is 1/1)
kubectl get pods > NAME READY STATUS RESTARTS AGE > clair-jcb6r 1/1 Running 0 17s > clair-postgres-2rbgj 1/1 Running 0 17s``
Use Klar to scan an Image
Klar is a simple tool to analyze images stored in a private or public Docker registry for security vulnerabilities using Clair. Klar is designed to be used integrated in other CI/CD tools. It’s a single binary which requires no dependencies.
Klar returns:
- 0 if the number of detected high severity vulnerabilities in an image is less than or equal to a threshold
- 1 if there were more.
- 2 if an error has prevented the image from being scanned
-
Get the Cluster IP (MY-CLUSTER-IP)
Use the adequate method for this:
Minikube in the training VM
minikube ip`` or
IBM Cloud Kubernetes Service
ibmcloud ks worker ls --cluster <MY-CLUSTER-NAME>``
-
Execute the following command
CLAIR_ADDR=<MY-CLUSTER-IP>:30060 FORMAT_OUTPUT=table CLAIR_OUTPUT=High klar niklaushirt/k8sdemo:1.0.1 > clair timeout 1m0s > docker timeout: 1m0s > no whitelist file > Analysing 14 layers > Got results from Clair API v1 > Found 597 vulnerabilities > Unknown: 176 > Negligible: 284 > Low: 135 > Medium: 2``
We define several things here:
CLAIR_ADDR: the address of the Clair serverFORMAT_OUTPUT: the format for the output (table in this example)CLAIR_OUTPUT: output only vulnerabilities above or equal
The output shows that there are no HIGH severity vulerabilities.
Initialization of Clair takes some time! If the output shows a completely different count than in this example you have to wait for Clair to ingest all security rules first.
-
Now let’s execute it again with a lower OUTPUT (Medium)
CLAIR_ADDR=<MY-CLUSTER-IP>:30060 FORMAT_OUTPUT=table CLAIR_OUTPUT=Medium klar niklaushirt/k8sdemo:1.0.1 > clair timeout 1m0s > docker timeout: 1m0s > no whitelist file > Analysing 14 layers > Got results from Clair API v1 > Found 597 vulnerabilities > Unknown: 176 > Negligible: 284 > Low: 135 > Medium: 2 > +----------+---------------+-------------+----------------+---------+-------------------------------- > +-----------------------------------------------------------+ > | SEVERITY | NAME | FEATURENAME | FEATUREVERSION | FIXEDBY | DESCRIPTION | LINK > | > +----------+---------------+-------------+----------------+---------+-------------------------------- > +-----------------------------------------------------------+ > | Medium | CVE-2009-3546 | libwmf | 0.2.8.4-10.6 | | The _gdGetColors function | https://security-tracker.debian.org/tracker/CVE-2009-3546 | > | | | | | | in gd_gd.c in PHP 5.2.11 and | > | > | | | | | | 5.3.x before 5.3.1, and the | > | > | | | | | | GD Graphics Library 2.x, does | > | ... > | | | | | | from third party information. | > | > +----------+---------------+-------------+----------------+---------+-------------------------------- > +-----------------------------------------------------------+ > | Medium | CVE-2007-3996 | libwmf | 0.2.8.4-10.6 | | Multiple integer overflows | https://security-tracker.debian.org/tracker/CVE-2007-3996 | > | | | | | | in libgd in PHP before 5.2.4 | > | > | | | | | | allow remote attackers to | > | ... > | | | | | | function. | > | > +----------+---------------+-------------+----------------+---------+-------------------------------- > +-----------------------------------------------------------+``
The output shows the detail for the two vulnerabilities with Medum severity.
You can also output the result to JSON Format to be reused in a CI/CD tool.
Congratulations!!!
This concludes Lab 4 on Image Scanning.