The container vulnerability exporter will collect an image inventory from an OpenShift cluster and report on detected vulnerabilties, for images hosted and scanned with Quay.io
Developed and tested with OpenShift =>3.11 (k8s 1.11)
- export KUBECONFIG="$HOME/.kube/config" (or change to any authenticated OpenShift client config path)
- export QUAY_TOKEN="aaabbbzzz" (set to QUAY api token)
- make build
- make test
- make run
Once running, point a Prometheus scraper at localhost:8080 (default) or curl http://localhost:8080
To enable very verbose debug logging:
- make run LOG_LEVEL=DEBUG
'image': 'quay.io/pusher/oauth2_proxy:v4.0.0-amd64' 'imageID': 'docker-pullable://quay.io/pusher/oauth2_proxy@sha256:44cb81d3b2253f79a0d3e81f6a9a5dccda4ba4f992b833522f4c5ebeb5e02e71'
The pod expects the following secrets:
- QUAY_TOKEN: QUAY api token
- KUBECONFIG: base64 encoded k8s config file, see kubeconfig.EXAMPLE for non-base64 enecoded boiler plate
You can turn a k8s config file into a secret (see https://kubernetes.io/docs/reference/kubectl/cheatsheet/ for more info) by:
- kubectl config view --flatten | base64 -w0 | tee k8s-secret.yaml
A future verison of this code will provide support for multiple contexts as a parameter.
To create the relevant openshift objects: Note: the dummysecrets values in this repo are not valid.
oc process -f openshift/dummysecrets.yaml | oc create -f -
oc process -f openshift/cvexporter.yaml | oc create -f -