GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → quay → Container Security Operator

quay / Container Security Operator

Licence: apache-2.0
Identify image vulnerabilities in Kubernetes pods

Programming Languages

go
31211 projects - #10 most used programming language

Labels

kubernetescontainersoperatorkubernetes-operator

Projects that are alternatives of or similar to Container Security Operator

grafana-operator
An operator for Grafana that installs and manages Grafana instances, Dashboards and Datasources through Kubernetes/OpenShift CRs
Stars: ✭ 449 (+560.29%)
Mutual labels:  operator, kubernetes-operator
Service Level Operator
Manage application's SLI and SLO's easily with the application lifecycle inside a Kubernetes cluster
Stars: ✭ 260 (+282.35%)
Mutual labels:  operator, kubernetes-operator
chaos-operator
chaos engineering via kubernetes operator
Stars: ✭ 90 (+32.35%)
Mutual labels:  operator, kubernetes-operator
td-redis-operator
一款强大的云原生redis-operator,经过大规模生产级运行考验,支持分布式集群、支持主备切换等缓存集群解决方案…The powerful cloud-native redis-operator, which has passed the test of large-scale production-level operation, supports distributed clusters and active/standby switching ...
Stars: ✭ 327 (+380.88%)
Mutual labels:  operator, kubernetes-operator
Kopf
A Python framework to write Kubernetes operators in just a few lines of code
Stars: ✭ 488 (+617.65%)
Mutual labels:  operator, kubernetes-operator
mysql-operator
Asynchronous MySQL Replication on Kubernetes using Percona Server and Openark's Orchestrator.
Stars: ✭ 810 (+1091.18%)
Mutual labels:  operator, kubernetes-operator
rabbitmq-operator
RabbitMQ Kubernetes operator
Stars: ✭ 16 (-76.47%)
Mutual labels:  operator, kubernetes-operator
microcks-ansible-operator
Kubernetes Operator for easy setup and management of Microcks installs
Stars: ✭ 21 (-69.12%)
Mutual labels:  operator, kubernetes-operator
Metering Operator
The Metering Operator is responsible for collecting metrics and other information about what's happening in a Kubernetes cluster, and providing a way to create reports on the collected data.
Stars: ✭ 320 (+370.59%)
Mutual labels:  operator, kubernetes-operator
Es Operator
Kubernetes Operator for Elasticsearch
Stars: ✭ 282 (+314.71%)
Mutual labels:  operator, kubernetes-operator
varnish-operator
Run and manage Varnish clusters on Kubernetes
Stars: ✭ 47 (-30.88%)
Mutual labels:  operator, kubernetes-operator
Kopf
A Python framework to write Kubernetes operators in just few lines of code.
Stars: ✭ 971 (+1327.94%)
Mutual labels:  operator, kubernetes-operator
sieve
Automatic Reliability Testing for Kubernetes Controllers
Stars: ✭ 183 (+169.12%)
Mutual labels:  operator, kubernetes-operator
oracle-database-operator
The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.
Stars: ✭ 74 (+8.82%)
Mutual labels:  operator, kubernetes-operator
cmak-operator
CMAK (prev. Kafka Manager) for Kubernetes
Stars: ✭ 45 (-33.82%)
Mutual labels:  operator, kubernetes-operator
siddhi-operator
Operator allows you to run stream processing logic directly on a Kubernetes cluster
Stars: ✭ 16 (-76.47%)
Mutual labels:  operator, kubernetes-operator
pulp-operator
Kubernetes Operator for Pulp 3. Under active development.
Stars: ✭ 32 (-52.94%)
Mutual labels:  operator, kubernetes-operator
kubegres
Kubegres is a Kubernetes operator allowing to deploy one or many clusters of PostgreSql instances and manage databases replication, failover and backup.
Stars: ✭ 1,107 (+1527.94%)
Mutual labels:  operator, kubernetes-operator
Capsule
Kubernetes Operator for multi-tenancy
Stars: ✭ 261 (+283.82%)
Mutual labels:  operator, kubernetes-operator
Kudo
Kubernetes Universal Declarative Operator (KUDO)
Stars: ✭ 849 (+1148.53%)
Mutual labels:  operator, kubernetes-operator
View All Similar Projects ➔

Container Security Operator

The Container Security Operator (CSO) brings Quay and Clair metadata to Kubernetes / OpenShift. Starting with vulnerability information the scope will get expanded over time. If it runs on OpenShift, the corresponding vulnerability information inside the OCP Console. The Container Security Operator enables cluster administrators to monitor known container image vulnerabilites in pods running on their Kubernetes cluster. The controller sets up a watch on pods in the specified namespace(s) and queries the container registry for vulnerability information. If the container registry supports image scanning, such as Quay with Clair, then the Operator will expose any vulnerabilities found via the Kubernetes API in an ImageManifestVuln object. This Operator requires no additional configuration after deployment, and will begin watching pods and populating ImageManifestVulns immediately once installed.

ImageManifestVuln

The security information of scanned images are stored in ImageManifestVulns on an image manifest basis, and are named by the image's manifest digest.

Spec

The spec provides information about the features and its associated vulnarabilities. The spec should be immutable relative to the cluster. When a new vulnerability is added to a feature, the operator will update the spec after the resync threshold.

Status

The status provides information about the affected Pods/Containers. As pod are added or removed from the cluster, their references are added to the affectedPods field of the status block. The status also provide various statistics about the manifest. e.g lastUpdate, highestSeverity, ...

Label Selectors

TODO

Example config

securitylabeller:
  prometheusAddr: "0.0.0.0:8081"
  interval: 15m
  wellknownEndpoint: ".well-known/app-capabilities"
  labelPrefix: secscan
  namespaces:
    - default
    - dev

The same options can be configured from the command line:

./container-security-operator -promAddr ":8081" -resyncInterval "15m" -wellknownEndpoint ".well-known/app-capabilities" -labelPrefix "secscan" -namespace default -namespace test

Deployment

This Operator should be deployed using the Operator Lifecycle Manager (OLM), which takes care of RBAC permissions, dependency resolution, and automatic upgrades.

Kubernetes

This Operator is published upstream on operatorhub.io.

OpenShift

This Operator will be available via OperatorHub.

Development Environment

Running the labeller locally requires a valid kubeconfig. If the kubeconfig flag is omitted, an in-cluster config is assumed.

Install the ImageManifestVuln CRD

make installcrds

Running locally (using ~/.kube/config and example-config.yaml):

make run

To regenerate the CRD code:

# deepcopy
make deepcopy
# openapi
make openapi
# clientset
make clientset
# listers
make listers
# informers
make informers
# generate all
codegen
# generate all in a container
codegen-container

Deploying using OLM

Follow these steps to package and deploy the Operator from local source code using OLM:

  1. Make any code changes to the source code
  2. Build and push Operator container image
$ docker build -t quay.io/<your-namespace>/container-security-operator .
$ docker push quay.io/<your-namespace>/container-security-operator
  1. Change image field in container-security-operator.v1.0.0.clusterserviceversion.yaml to point to your image
  2. Build and push CatalogSource container image
$ cd deploy/
$ docker build -t quay.io/<your-namespace>/cso-catalog .
$ docker push quay.io/<your-namespace>/cso-catalog
  1. Change image field in cso.catalogsource.yaml to point to your image
  2. Create CatalogSource in Kubernetes cluster w/ OLM installed
# Upstream Kubernetes
$ kubectl create -n olm -f deploy/cso.catalogsource.yaml
# OpenShift
$ kubectl create -n openshift-marketplace -f deploy/cso.catalogsource.yaml
  1. After a few seconds, your Operator package should be available to create a Subscription to.
$ kubectl get packagemanifest container-security-operator

Examples

Using kubectl

Get a list of all the pods affected by vulnerable images detected by the Operator:

$ kubectl get imagemanifestvuln --all-namespaces -o json | jq '.items[].status.affectedPods' | jq 'keys' | jq 'unique'

Get a list of all detected CVEs in pods running on the cluster:

$ kubectl get imagemanifestvuln --all-namespaces -o json | jq '[.items[].spec.features[].vulnerabilities[].name'] | jq 'unique'

Check if a pod has any vulnerability, and list the CVEs, if any:

$ kubectl get imagemanifestvulns.secscan.quay.redhat.com --selector=<namespace>/<pod-name> -o jsonpath='{.items[*].spec.features[*].vulnerabilities[*].name}'
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].