Chapter 15. Scanning pods for vulnerabilities

Procedure

1. You can install the Red Hat Quay Container Security Operator by using the OpenShift Container Platform web console:

   1. On the web console, navigate to Operators OperatorHub and select Security.
   2. Select the Red Hat Quay Container Security Operator Operator, and then select Install.
   3. On the Red Hat Quay Container Security Operator page, select Install. Update channel, Installation mode, and Update approval are selected automatically. The Installed Namespace field defaults to

      openshift-operators

      . You can adjust these settings as needed.
   4. Select Install. The Red Hat Quay Container Security Operator appears after a few moments on the Installed Operators page.

   5. Optional: You can add custom certificates to the Red Hat Quay Container Security Operator. For example, create a certificate named

      quay.crt

      in the current directory. Then, run the following command to add the custom certificate to the Red Hat Quay Container Security Operator:

      $ oc create secret generic container-security-operator-extra-certs --from-file=quay.crt -n openshift-operators

   6. Optional: If you added a custom certificate, restart the Red Hat Quay Container Security Operator pod for the new certificates to take effect.

2. Alternatively, you can install the Red Hat Quay Container Security Operator by using the CLI:

   1. Retrieve the latest version of the Container Security Operator and its channel by entering the following command:

      $ oc get packagemanifests container-security-operator \
        -o jsonpath='{range .status.channels[*]}{@.currentCSV} {@.name}{"\n"}{end}' \
        | awk '{print "STARTING_CSV=" $1 " CHANNEL=" $2 }' \
        | sort -Vr \
        | head -1

      Example output

      STARTING_CSV=container-security-operator.v3.8.9 CHANNEL=stable-3.8

   2. Using the output from the previous command, create a

      Subscription

      custom resource for the Red Hat Quay Container Security Operator and save it as

      container-security-operator.yaml

      . For example:

      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: container-security-operator
        namespace: openshift-operators
      spec:
        channel: ${CHANNEL} 

      1

      
        installPlanApproval: Automatic
        name: container-security-operator
        source: redhat-operators
        sourceNamespace: openshift-marketplace
        startingCSV: ${STARTING_CSV} 

      2

      1

      Specify the value you obtained in the previous step for the spec.channel parameter.

      2

      Specify the value you obtained in the previous step for the spec.startingCSV parameter.

   3. Enter the following command to apply the configuration:

      $ oc apply -f container-security-operator.yaml

      Example output

      subscription.operators.coreos.com/container-security-operator created

Procedure

1. On the OpenShift Container Platform web console, navigate to Home Overview. Under the Status section, Image Vulnerabilities provides the number of vulnerabilities found.
2. Click Image Vulnerabilities to reveal the Image Vulnerabilities breakdown tab, which details the severity of the vulnerabilities, whether the vulnerabilities can be fixed, and the total number of vulnerabilities.

3. You can address detected vulnerabilities in one of two ways:

   1. Select a link under the Vulnerabilities section. This takes you to the container registry that the container came from, where you can see information about the vulnerability.
   2. Select the namespace link. This takes you to the Image Manifest Vulnerabilities page, where you can see the name of the selected image and all of the namespaces where that image is running.

4. After you have learned what images are vulnerable, how to fix those vulnerabilities, and the namespaces that the images are being run in, you can improve security by performing the following actions:

   1. Alert anyone in your organization who is running the image and request that they correct the vulnerability.

   2. Stop the images from running by deleting the deployment or other object that started the pod that the image is in.

      Note

      If you delete the pod, it might take several minutes for the vulnerability information to reset on the dashboard.

Procedure

1. Enter the following command to query for detected container image vulnerabilities:

   $ oc get vuln --all-namespaces

   Example output

   NAMESPACE     NAME              AGE
   default       sha256.ca90...    6m56s
   skynet        sha256.ca90...    9m37s

2. To display details for a particular vulnerability, append the vulnerability name and its namespace to the

   oc describe

   command. The following example shows an active container whose image includes an RPM package with a vulnerability:

   $ oc describe vuln --namespace mynamespace sha256.ac50e3752...

   Example output

   Name:         sha256.ac50e3752...
   Namespace:    quay-enterprise
   ...
   Spec:
     Features:
       Name:            nss-util
       Namespace Name:  centos:7
       Version:         3.44.0-3.el7
       Versionformat:   rpm
       Vulnerabilities:
         Description: Network Security Services (NSS) is a set of libraries...

Procedure

1. On the OpenShift Container Platform web console, click Operators Installed Operators.
2. Click the menu of the Container Security Operator.
3. Click Uninstall Operator.
4. Confirm your decision by clicking Uninstall in the popup window.

5. Use the CLI to delete the

   imagemanifestvulns.secscan.quay.redhat.com

   CRD.

   1. Remove the

      imagemanifestvulns.secscan.quay.redhat.com

      custom resource definition by entering the following command:

      $ oc delete customresourcedefinition imagemanifestvulns.secscan.quay.redhat.com

      Example output

      customresourcedefinition.apiextensions.k8s.io "imagemanifestvulns.secscan.quay.redhat.com" deleted