Estimated time: 15 min
Manage discovered vulnerabilities of applications deployed into the cluster.
Download tigera-scanner binary.
Refer to the Image Assurance docs for the most recent information.
Follow the docs to download tigera-scanner binary to run scan application images.
Note that the scanner version in the command below maybe outdated as the scanner binary is often updated with each release of Calico Cloud. Follow the docs to get the most recent
tigera-scannerbinary.
curl -Lo tigera-scanner https://installer.calicocloud.io/tigera-scanner/v3.16.1-11/image-assurance-scanner-cli-linux-amd64
chmod +x ./tigera-scanner
./tigera-scanner versionScan application images.
a. Retrieve API URL and Token values by navigating at Image Assurance > Access Settings in the Calico Cloud UI.
b. Scan application images.
In order to scan an image, you need to pull it down first and then scan.
# set vars
API_URL='https://<my-org>.calicocloud.io'
TOKEN='<replace_with_token_value>'
# pull image locally
docker pull gcr.io/google-samples/microservices-demo/frontend:v0.3.8
# scan images
./tigera-scanner scan gcr.io/google-samples/microservices-demo/frontend:v0.3.8 --fail_threshold 7.0 --warn_threshold 3.9 --apiurl $API_URL --token $TOKENNavigate to Image Assurance > Scan Results in the Calico Cloud UI and review scan results.
Configure image assurance admission controller.
Image assurance admission controller is used to enforce the policies that determine which images are allowed to be deployed into the cluster. The
tigera-admission-controller.yamlmanifest is configured to look for namespaces containingtigera-admission-controller: enforcinglabel to enforce container admission.
a. Add tigera-admission-controller: enforcing label to the default namespace.
kubectl label namespace default tigera-admission-controller=enforcingb. Deploy the admission controller.
See image assurance docs to get the most recent version.
NOTE: if your workstation has OpenSSL of version 1.0.2 or any other version that doesn’t contain
-addextflag, update OpenSSL to version 1.1.x or newer and make sure thatopensslexecutable invokes new version of OpenSSL. On Amazon Linux 2 you can do it with this line:sudo yum install -y openssl11 && sudo ln -s /usr/bin/openssl11 /usr/bin/openssl
# get most recent versions and adjust these vars
IA_VERSION='v3.16.1-11'
IA_AC_VERSION='v1.7.3'
# generate certificates
curl https://installer.calicocloud.io/manifests/${IA_VERSION}/manifests/generate-open-ssl-key-cert-pair.sh | bash
# deploy admission controller
sed -e "s/BASE64_CERTIFICATE/$(printf '%q' `base64 < admission_controller_cert.pem`)/g" -e "s/BASE64_KEY/$(printf '%q' `base64 < admission_controller_key.pem`)/g" -e "s/IA_AC_VERSION/$IA_AC_VERSION/g" demo/80-image-assurance/tigera-image-assurance-admission-controller-deploy.yaml | kubectl apply -f-Configure container admission policy.
Deploy a container admission policy that only allows deployment of images that have Pass or Warn status.
kubectl apply -f demo/80-image-assurance/tigera-image-assurance-admission-controller-policy.yamlTo test the policy enforcement, first delete and then redeploy the boutiqueshop application stack since the admission controller can only enforce container deployment when it gets created in the cluster.
Note that the
reject-failedcontainer admission policy is configured to only allow images that have defined scanning status ofPassorWarn. If an image for any application component hasn’t been scanned yet, its status will beUnknown. If you don’t want to scan all images for the boutiqueshop stack, you can edit the admission policy to also allow images with theUnknownstatus.
# delete app stack
kubectl delete -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/release/v0.3.8/release/kubernetes-manifests.yaml
# deploy app stack
kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/release/v0.3.8/release/kubernetes-manifests.yaml