container-vulnerability-exporter

The container vulnerability exporter will collect an image inventory from an OpenShift cluster and report on detected vulnerabilties, for images hosted and scanned with Quay.io

Developed and tested with OpenShift =>3.11 (k8s 1.11)

Quickstart

  • export KUBECONFIG="$HOME/.kube/config" (or change to any authenticated OpenShift client config path)
  • export QUAY_TOKEN="aaabbbzzz" (set to QUAY api token)
  • make build
  • make test
  • make run

Once running, point a Prometheus scraper at localhost:8080 (default) or curl http://localhost:8080

To enable very verbose debug logging:

  • make run LOG_LEVEL=DEBUG

Image data example

'image': 'quay.io/pusher/oauth2_proxy:v4.0.0-amd64' 'imageID': 'docker-pullable://quay.io/pusher/oauth2_proxy@sha256:44cb81d3b2253f79a0d3e81f6a9a5dccda4ba4f992b833522f4c5ebeb5e02e71'

OpenShift Config

The pod expects the following secrets:

  • QUAY_TOKEN: QUAY api token
  • KUBECONFIG: base64 encoded k8s config file, see kubeconfig.EXAMPLE for non-base64 enecoded boiler plate

You can turn a k8s config file into a secret (see https://kubernetes.io/docs/reference/kubectl/cheatsheet/ for more info) by:

  • kubectl config view --flatten | base64 -w0 | tee k8s-secret.yaml

A future verison of this code will provide support for multiple contexts as a parameter.

To create the relevant openshift objects: Note: the dummysecrets values in this repo are not valid.

oc process -f openshift/dummysecrets.yaml | oc create -f -
oc process -f openshift/cvexporter.yaml | oc create -f -