quay / container-security-operator Goto Github PK

Identify image vulnerabilities in Kubernetes pods

License: Apache License 2.0

Dockerfile 0.78% Makefile 0.71% Go 92.37% Shell 6.14%

containers kubernetes kubernetes-operator operator quay

container-security-operator's Introduction

Project Quay

⚠️ The master branch may be in an unstable or even broken state during development. Please use releases instead of the master branch in order to get stable software.

Project Quay builds, stores, and distributes your container images.

High-level features include:

Docker Registry Protocol v2
Docker Manifest Schema v2.1, v2.2
AppC Image Discovery via on-demand transcoding
Image Squashing via on-demand transcoding
Authentication provided by LDAP, Keystone, OIDC, Google, and GitHub
ACLs, team management, and auditability logs
Geo-replicated storage provided by local filesystems, S3, GCS, Swift, and Ceph
Continuous Integration integrated with GitHub, Bitbucket, GitLab, and git
Security Vulnerability Analysis via Clair
Swagger-compliant HTTP API

Getting Started

Explore a live instance of Project Quay hosted at Quay.io
Watch talks given about Project Quay
Review the documentation for Red Hat Quay
Get up and running with our getting started guide for developing or deploying Quay
Deploy on Kubernetes using the Quay Operator

Community

Mailing List: [email protected]
IRC: #quay on libera.chat
Bug tracking: JBoss JIRA
Security Issues: [email protected]
Community meetings held the first Wednesday of every month 11:00 AM EST: meeting link

License

Project Quay is under the Apache 2.0 license. See the LICENSE file for details.

container-security-operator's People

Contributors

Stargazers

Watchers

container-security-operator's Issues

Failed to sync layer data ... 401 Unauthorized

Now that the operator is able to talk to an on-prem Quay. see issue #30 and #28. I am running into issues authenticating with the registry. I have a pod that uses a secret. this secret is part of the pod manifest; however in the CSO pod logs I see the following:

level=info msg="Requeued item" key=default/ssltunnel
level=debug msg="Pod updated" key=default/ssltunnel
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=default/ssltunnel
level=error msg="Failed to sync layer data" key=default/ssltunnel err="Request returned non-200 response: 401 Unauthorized"
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=default/ssltunnel
level=error msg="Failed to sync layer data" key=default/ssltunnel err="Request returned non-200 response: 401 Unauthorized"

For testing purposes, I have configured CSO to only analyze the default namespace. A CSO pod exists in the default namespace. The messages above come from that pod. Below you will see my pod yaml. In quay I created a robot-account with write permission to the repository I am pulling from. I created a secret in OS and I am using that secret as part of my pod manifest. Is there a different way that I need to define my secret and set it in my OS cluster/pod yaml combination?

kind: Pod
metadata:
  name: example
  labels:
    app: hello-openshift
  namespace: default
spec:
  containers:
    - name: hello-openshift
      image: openshift/hello-openshift
      ports:
        - containerPort: 8080
  imagePullSecrets:
    - name: aetomala-aetomalarobot-pull-secret

RFE: support of harbor, ... vulnerability api

would be very awesome to support the vulnerability api of harbor and others aswell, as we have mixed image-registries.

harbor: https://raw.githubusercontent.com/goharbor/harbor/44f477e965e57ba619d494a7122c69a636906666/api/v2.0/swagger.yaml

thanx

CSO to trust self signed certificate for private quay registry

Hi,
I have installed CSO and added an image from my private quay registry.

Look like CSO cant connect to the private quay registry since I see this error in the operator logs:

level=error msg="Failed to sync layer data" key=quay/quay-clair-test-2-5ggnj err="Get https://quay.apps.mydomain.com/.well-known/app-capabilities: x509: certificate signed by unknown authority"

Is there a way to set an "insecure" option or to add additional CA certs to CSO?

why does it show everything green even it is not able to get any scanresults at all?

Situation:
yesterday i discovered i have an image inside my on-prem quay with a high vulnerability (what a pain to get an overview over all organizations and all repos with quay) and my cluster showed me all green! on investigating, i found out the container-security-operator was never able to talk with my quay:

"x509: certificate signed by unknown authority"

on fixing this i'm stuck with "Request returned non-200 response: 401 UNAUTHORIZED"
and still everything green.

this is misleading, as green means everything ok. which is a completely different answer than "i don't know"... which is what i have with a broken setup.

The expected behavior if the container-security-operator is not able to get informations should NOT be "all green"!

Issues when starting cso-catalog

Hi,

Followed repository instructions for setupping quay-operator into OpenShift. Have problems when starting cso-catalog from bundle folder. Operator describtion gives following error "no command specific". Looking thru Dockerfile there:
https://github.com/quay/container-security-operator/blob/rb/fix-permissions/bundle/Dockerfile and noticed that it's missing entrypoint totally.

Anyone have fix for this?

It would seem that the repository's code is not quite up to date? File naming at repo Readme and actual files are different also.

Installation via Operatorhub.io: requirements not met (apiextensions.k8s.io/v1beta1)

Operator is using "apiextensions.k8s.io/v1beta1" which is deprecated, removed from k8s v1.22

api-server resource not found installing CustomResourceDefinition
        imagemanifestvulns.secscan.quay.redhat.com: GroupVersionKind
        apiextensions.k8s.io/v1beta1, Kind=CustomResourceDefinition not found on
        the cluster. This API may have been deprecated and removed, see
        https://kubernetes.io/docs/reference/using-api/deprecation-guide/ for
        more information.

Error parsing ImageID

I've pulled the docker:7 image from dockerhub, push it to quay.io and then ran it ontop of OCP 4.4 (pod name: my-app).
According to Clair report, the image vulnerability level is medium, however CSO (v3.3.1) do not report anything about it and no ImageManifestVulnerability CR created too.

Here is the CSO logs:

level=debug msg="Pod added" key=foobar/my-app
E1217 17:54:19.403837       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.409121       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:19.416671       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.419281       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:19.442351       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.459549       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.619865       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:19.940132       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:20.580408       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
E1217 17:54:21.860687       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
E1217 17:54:22.006919       1 labeller.go:191] foobar/my-app failed with : &{%!w(string=Pod phase not running: Pending)}
level=info msg="Requeued item" key=foobar/my-app
level=debug msg="Pod updated" key=foobar/my-app
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=foobar/my-app
time="2020-12-17T17:54:23Z" level=error msg="Invalid imageID format" digest="sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6" host="image-registry.openshift-image-registry.svc:5000" namespace=foobar repository=my-app validDigest=true validHost=false validNamespace=true validRepository=true
level=error msg="Error parsing imageID" imageID=image-registry.openshift-image-registry.svc:5000/foobar/my-app@sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6
level=info msg="Garbage collecting unreferenced ImageManifestVulns" key=foobar/my-app
time="2020-12-17T17:54:24Z" level=error msg="Invalid imageID format" digest="sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6" host="image-registry.openshift-image-registry.svc:5000" namespace=foobar repository=my-app validDigest=true validHost=false validNamespace=true validRepository=true
level=error msg="Error parsing imageID" imageID=image-registry.openshift-image-registry.svc:5000/foobar/my-app@sha256:cf6386817001e153e30823a97d203bbe2cbbdd6bac9d15437e6f1aa89dc5c1f6

Any help ?

Fetch results from AWS ECR

Would it be possible to use AWS ECR as the source for vulnerability data? Internally AWS ECR uses Clair for image scanning but results are only available through AWS API instead of Quay endpoint.

x509: certificate signed by unknown authority with private quay with cert using private PKI

Hi,
I have trouble getting CSO to play with our private Quay 3.5 registry, I get this error in the cso operator pod:

level=error msg="Failed to sync layer data" key=somepod err="Get https://my-registry.mydomain.com/.well-known/app-capabilities: x509: certificate signed by unknown authority"

If I enter the cso operator pod I can see the ca.crt in /extra-certs/ and a curl works fine.

$ oc rsh container-security-operator-864f446cd6-7dlf5
sh-4.4$
sh-4.4$ cd /extra-certs/
sh-4.4$ ls -l
total 0
lrwxrwxrwx. 1 root root 13 Jun 17 08:38 ca.crt -> ..data/ca.crt
sh-4.4$ curl --cacert ca.crt https://my-registry.mydomain.com/.well-known/app-capabilities
{"appName": "io.quay", "capabilities": {"io.quay.view-image": {"url-template": "https://my-registry.mydomain.com/{namespace}/{reponame}:{tag}"}, "io.quay.image-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/image/{imageid}/security", "deprecated": true}, "io.quay.manifest-security": {"rest-api-template": "https://my-registry.mydomain.com/api/v1/repository/{namespace}/{reponame}/manifest/{digest}/security"}}}

However if I do a curl without cacert it doesnt work so it looks like the cert doesnt exist in the os trust bundle, cant find anything in /etc/pki/ca-trust/source/anchors/ either.

Thanks for any help ...

Use scanning from a different registry

I have installed CSO through the OperatorHub on an OpenShift 4.3 instance. I also have a private QUAY 3.2 instance configured to use CLAIR for scanning. I noticed that this operator only provides scan vulnerabilities on images from quay.io registry and no my private quay repository. Is there something I need to do to the operator config or my registry such that the SCO reports scan issues from my quay repo as well ?

How to uninstall

please describe how to uninstall?
CRD?
after unsubscribe the operator, the console still shows "Image Vulnerabilities"

Kubernetes Version requirement

Which Kubernetes version is required to run this operator? We're evaluating the usage of this operator in OpenShift 3.11 to get the ImageManifestVuln CRs.