Git Product home page Git Product logo

container-security-operator's Introduction

Project Quay

CI Container Repository on Quay

โš ๏ธ The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get stable software.

Project Quay Logo

Project Quay builds, stores, and distributes your container images.

High-level features include:

Getting Started

  • Explore a live instance of Project Quay hosted at Quay.io
  • Watch talks given about Project Quay
  • Review the documentation for Red Hat Quay
  • Get up and running with our getting started guide for developing or deploying Quay
  • Deploy on Kubernetes using the Quay Operator

Community

License

Project Quay is under the Apache 2.0 license. See the LICENSE file for details.

container-security-operator's People

Contributors

alecmerdler avatar arborite-rh avatar bcaton85 avatar dependabot[bot] avatar dmage avatar fduthilleul avatar hammermeetnail avatar jcho02 avatar jjmengze avatar jonathankingfc avatar kleesc avatar ksdeekshith avatar ribbybibby avatar ricardomaraschini avatar rishikakedia avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

container-security-operator's Issues

Failed to sync layer data ... 401 Unauthorized

Now that the operator is able to talk to an on-prem Quay. see issue #30 and #28. I am running into issues authenticating with the registry. I have a pod that uses a secret. this secret is part of the pod manifest; however in the CSO pod logs I see the following:

level=info msg="Requeued item" key=default/ssltunnel
level=debug msg="Pod updated" key=default/ssltunnel
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=default/ssltunnel
level=error msg="Failed to sync layer data" key=default/ssltunnel err="Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=default/ssltunnel
level=error msg="Failed to sync layer data" key=default/ssltunnel err="Request returned non-200 response: 401 Unauthorized"

For testing purposes, I have configured CSO to only analyze the default namespace. A CSO pod exists in the default namespace. The messages above come from that pod. Below you will see my pod yaml. In quay I created a robot-account with write permission to the repository I am pulling from. I created a secret in OS and I am using that secret as part of my pod manifest. Is there a different way that I need to define my secret and set it in my OS cluster/pod yaml combination?

kind: Pod
metadata:
  name: example
  labels:
    app: hello-openshift
  namespace: default
spec:
  containers:
    - name: hello-openshift
      image: openshift/hello-openshift
      ports:
        - containerPort: 8080
  imagePullSecrets:
    - name: aetomala-aetomalarobot-pull-secret

CSO to trust self signed certificate for private quay registry

Hi,
I have installed CSO and added an image from my private quay registry.

Look like CSO cant connect to the private quay registry since I see this error in the operator logs:

level=error msg="Failed to sync layer data" key=quay/quay-clair-test-2-5ggnj err="Get https://quay.apps.mydomain.com/.well-known/app-capabilities: x509: certificate signed by unknown authority"

Is there a way to set an "insecure" option or to add additional CA certs to CSO?

why does it show everything green even it is not able to get any scanresults at all?

Hi

Situation:
yesterday i discovered i have an image inside my on-prem quay with a high vulnerability (what a pain to get an overview over all organizations and all repos with quay) and my cluster showed me all green! on investigating, i found out the container-security-operator was never able to talk with my quay:

"x509: certificate signed by unknown authority"

on fixing this i'm stuck with "Request returned non-200 response: 401 UNAUTHORIZED"
and still everything green.

this is misleading, as green means everything ok. which is a completely different answer than "i don't know"... which is what i have with a broken setup.

The expected behavior if the container-security-operator is not able to get informations should NOT be "all green"!

Issues when starting cso-catalog

Hi,

Followed repository instructions for setupping quay-operator into OpenShift. Have problems when starting cso-catalog from bundle folder. Operator describtion gives following error "no command specific". Looking thru Dockerfile there:
https://github.com/quay/container-security-operator/blob/rb/fix-permissions/bundle/Dockerfile and noticed that it's missing entrypoint totally.

Anyone have fix for this?

It would seem that the repository's code is not quite up to date? File naming at repo Readme and actual files are different also.

Installation via Operatorhub.io: requirements not met (apiextensions.k8s.io/v1beta1)

Operator is using "apiextensions.k8s.io/v1beta1" which is deprecated, removed from k8s v1.22

api-server resource not found installing CustomResourceDefinition
        imagemanifestvulns.secscan.quay.redhat.com: GroupVersionKind
        apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition not found on
        the cluster. This API may have been deprecated and removed, see
        https://kubernetes.io/docs/reference/using-api/deprecation-guide/ for
        more information.

Error parsing ImageID

I've pulled the docker:7 image from dockerhub, push it to quay.io and then ran it ontop of OCP 4.4 (pod name: my-app).
According to Clair report, the image vulnerability level is medium, however CSO (v3.3.1) do not report anything about it and no ImageManifestVulnerability CR created too.

Here is the CSO logs:

level=debug msg="Pod added" key=foobar/my-app
E1217 17:54:19.403837       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.409121       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:19.416671       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.419281       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:19.442351       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.459549       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.619865       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.940132       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:20.580408       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:21.860687       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:22.006919       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=foobar/my-app
time="2020-12-17T17:54:23Z" level=error msg="Invalid imageID format" digest="sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6" host="image-registry.openshift-image-registry.svc:5000" namespace=foobar repository=my-app validDigest=true validHost=false validNamespace=true validRepository=true
level=error msg="Error parsing imageID" imageID=image-registry.openshift-image-registry.svc:5000/foobar/my-app@sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=foobar/my-app
time="2020-12-17T17:54:24Z" level=error msg="Invalid imageID format" digest="sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6" host="image-registry.openshift-image-registry.svc:5000" namespace=foobar repository=my-app validDigest=true validHost=false validNamespace=true validRepository=true
level=error msg="Error parsing imageID" imageID=image-registry.openshift-image-registry.svc:5000/foobar/my-app@sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6

Any help ?

Fetch results from AWS ECR

Would it be possible to use AWS ECR as the source for vulnerability data? Internally AWS ECR uses Clair for image scanning but results are only available through AWS API instead of Quay endpoint.

x509: certificate signed by unknown authority with private quay with cert using private PKI

Hi,
I have trouble getting CSO to play with our private Quay 3.5 registry, I get this error in the cso operator pod:

level=error msg="Failed to sync layer data" key=somepod err="Get https://my-registry.mydomain.com/.well-known/app-capabilities: x509: certificate signed by unknown authority"

If I enter the cso operator pod I can see the ca.crt in /extra-certs/ and a curl works fine.

$ oc rsh container-security-operator-864f446cd6-7dlf5
sh-4.4$
sh-4.4$ cd /extra-certs/
sh-4.4$ ls -l
total 0
lrwxrwxrwx. 1 root root 13 Jun 17 08:38 ca.crt -> ..data/ca.crt
sh-4.4$ curl --cacert ca.crt https://my-registry.mydomain.com/.well-known/app-capabilities
{"appName": "io.quay", "capabilities": {"io.quay.view-image": {"url-template": "https://my-registry.mydomain.com/{namespace}/{reponame}:{tag}"}, "io.quay.image-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security", "deprecated": true}, "io.quay.manifest-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security"}}}

However if I do a curl without cacert it doesnt work so it looks like the cert doesnt exist in the os trust bundle, cant find anything in /etc/pki/ca-trust/source/anchors/ either.

Thanks for any help ...

Use scanning from a different registry

I have installed CSO through the OperatorHub on an OpenShift 4.3 instance. I also have a private QUAY 3.2 instance configured to use CLAIR for scanning. I noticed that this operator only provides scan vulnerabilities on images from quay.io registry and no my private quay repository. Is there something I need to do to the operator config or my registry such that the SCO reports scan issues from my quay repo as well ?

How to uninstall

please describe how to uninstall?
CRD?
after unsubscribe the operator, the console still shows "Image Vulnerabilities"

Kubernetes Version requirement

Which Kubernetes version is required to run this operator? We're evaluating the usage of this operator in OpenShift 3.11 to get the ImageManifestVuln CRs.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.