Hey there, container security is super important, especially when you're deploying your apps in Kubernetes. Anchore is a cool tool that helps you scan your container images before you launch them, making sure they're safe and sound.
But here's the deal: The official Anchore Helm chart is a bit outdated. So, we'll walk through setting up Anchore for image scanning, but we'll also talk about some awesome alternatives like Anchore Enterprise and Aqua Security.
What You Need:
- Kubernetes Cluster: You'll need a Kubernetes cluster running (Minikube, Docker Desktop, or a cloud cluster like GKE or EKS).
- Helm: Get Helm installed on your computer.
-
kubectl: Make sure you can connect to your cluster with
kubectl.
Step 1: Let's Install Anchore in Kubernetes
- Update your Helm repos:
helm repo add anchore https://charts.anchore.io
helm repo update
- Install Anchore (even though the chart is outdated):
helm install my-anchore anchore/anchore-engine --namespace security-tools --create-namespace
You might see a warning about the chart being deprecated. It's okay for now!
Step 2: CI/CD Integration with Anchore
Now, let's automate image scanning in your CI/CD pipeline. Here's a simple example you can use with Jenkins or GitLab CI:
stages:
- build
- scan
- deploy
image: docker:latest
build:
stage: build
script:
- docker build -t my-app:latest .
- docker push my-app:latest
scan:
stage: scan
script:
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/engine-cli:latest anchore-cli image add my-app:latest
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/engine-cli:latest anchore-cli image scan my-app:latest
deploy:
stage: deploy
script:
- kubectl apply -f deployment.yaml
Step 3: Setting Up Admission Controllers in Kubernetes
Admission controllers are like bouncers for your Kubernetes cluster. They make sure only safe images get in! Here's how to set up a basic admission controller to block images that don't pass Anchore's security checks:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: anchore-validating-webhook
webhooks:
- name: validate.anchore.io
clientConfig:
service:
name: anchore-engine
namespace: security-tools
caBundle: <YOUR_CA_BUNDLE>
rules:
- operations: ["CREATE", "UPDATE"]
apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
failurePolicy: Fail
admissionReviewVersions: ["v1"]
Step 4: Time to Talk About Alternatives
Since the Anchore Helm chart is outdated, you might want to look at some other options:
- Anchore Enterprise: This is like the supercharged version of Anchore, built for big companies. It has tons of features like fancy policies, detailed reports, and integrations with more CI/CD tools.
- Aqua Security: Aqua Security is a whole cloud-native security platform. It does image scanning, runtime protection, and even network security.
Step 5: Troubleshooting
- Image Scan Fails: If your image fails a scan, check the Anchore policy results. It might be outdated packages or vulnerabilities.
- Admission Controller Blocks: If the admission controller is blocking deployments, look at the webhook logs to see if it's connecting to Anchore correctly.
Wrapping Up
Container security is super important, and Anchore can help you automate it. Even though the open-source Helm chart is a bit old, you can still use it for now. But for bigger projects, think about Anchore Enterprise or Aqua Security. And remember, admission controllers in Kubernetes add an extra layer of protection, making sure only safe images run in your cluster.
Top comments (0)