Continuous Image Security

Page content

In this post I will show you my tool to Continuously scann deployed images in your Kubernetes cluster.

Parts of the K8S Security Lab series

Container Runetime Security
Advanced Kernel Security
Container Network Security
Secure Kubernetes Install
User Security

In a previous posts we talked about admission-controllers that scnas the image at deploy. Like Banzaicloud’s anchore-image-validator and Anchore’s own admission-controller. But what if you run your image for a long time. Last weak I realised I run containers wit imagest older the a year. I this time period many new vulnerability came up.

I find a tool called trivy-scanner that do almast what I want. It scans the docker images in all namespaces with the label trivy=true and get the resoults to a prometheus endpoint. It based on Shell Operator that runs a small python script. I made my own version from it:

Deploy the app

git clone https://github.com/devopstales/trivy-scanner

nano trivy-scanner/deploy/kubernetes/kustomization.yaml
namespace: trivy-scanner
...

kubectl create ns trivy-scanner
kubectl aplly -k trivy-scanner/deploy/kubernetes/

Demo

Test the guestbook-demo namespace:

kubectl label namespaces guestbook-demo trivy=true

kubectl get service -n trivy-scanner
NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)  AGE
trivy-scanner   ClusterIP   10.43.179.39   <none>        9115/TCP   15m

curl -s http://10.43.179.39:9115/metrics | grep so_vulnerabilities

Now you need to add the trivy-scanner Service as target for your prometheus. I created a ServiceMonitor object for that:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    serviceapp: trivy-exporter-servicemonitor
    release: prometheus
  name: trivy-exporter-servicemonitor
spec:
  selector:
    matchLabels:
      app: trivy-scanner
  endpoints:
  - port: metrics

If you use my grafana dasgboard from the repo you can see someting like this:

image