红帽全球峰会第 7 章 Clair 安全扫描
Clair 是可与 Red Hat Quay 搭配使用的一组微服务,可用于对与一组 Linux 操作系统关联的容器镜像进行漏洞扫描。Clair 的微服务设计使得它适合在高度可扩展的配置中运行,其中组件可以根据企业环境单独扩展。
Clair 使用以下漏洞数据库来扫描您的镜像中的问题:
- alpine SecDB 数据库
- AWS UpdateInfo
- Debian Oval 数据库
- Oracle Oval 数据库
- RHEL Oval 数据库
- SUSE Oval 数据库
- Ubuntu Oval 数据库
- Pyup.io (python)数据库
如需有关 Clair 如何使用不同数据库进行安全映射的信息,请参阅 ClairCore Severity Mapping。
随着 Red Hat Quay 3.4 的发布,新的 Clair V4 (镜像 registry.redhat.io/quay/clair-rhel8)完全替换了之前的 Clair V2 (image quay.io/redhat/clair-jwt)。有关如何在 V4 更新时以只读模式运行 V2 的信息。
7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair
7.1.1. 部署 Via 的 Quay Operator
要在 OpenShift 上的新 Red Hat Quay 部署上设置 Clair V4,强烈建议您使用 Quay Operator。默认情况下,Quay Operator 将安装或升级 Clair 部署以及 Red Hat Quay 部署,并自动配置 Clair 安全扫描。
7.1.2. 手动部署 Clair
要在运行 Clair V2 的现有 Red Hat Quay OpenShift 部署中配置 Clair V4,首先确保 Red Hat Quay 已升级到至少 3.4.0 版本。然后,使用以下步骤手动设置 Clair V4 和 Clair V2。
将当前项目设置为运行 Red Hat Quay 的项目的名称。例如:
$ oc project quay-enterprise为 Clair v4 创建 Postgres 部署文件(例如,cl
airv4-postgres.yaml),如下所示:clairv4-postgres.yaml
--- apiVersion: apps/v1 kind: Deployment metadata: name: clairv4-postgres namespace: quay-enterprise labels: quay-component: clairv4-postgres spec: replicas: 1 selector: matchLabels: quay-component: clairv4-postgres template: metadata: labels: quay-component: clairv4-postgres spec: volumes: - name: postgres-data persistentVolumeClaim: claimName: clairv4-postgres containers: - name: postgres image: postgres:11.5 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 env: - name: POSTGRES_USER value: "postgres" - name: POSTGRES_DB value: "clair" - name: POSTGRES_PASSWORD value: "postgres" - name: PGDATA value: "/etc/postgres/data" volumeMounts: - name: postgres-data mountPath: "/etc/postgres" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "5Gi" volumeName: "clairv4-postgres" --- apiVersion: v1 kind: Service metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: type: ClusterIP ports: - port: 5432 protocol: TCP name: postgres targetPort: 5432 selector: quay-component: clairv4-postgres部署 postgres 数据库,如下所示:
$ oc create -f ./clairv4-postgres.yaml创建 Clair
config.yaml文件,用于 Clair v4。例如:config.yaml
introspection_addr: :8089 http_listen_addr: :8080 log_level: debug indexer: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable scanlock_retry: 10 layer_scan_concurrency: 5 migrations: true matcher: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable max_conn_pool: 100 run: "" migrations: true indexer_addr: clair-indexer notifier: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable delivery: 1m poll_interval: 5m migrations: true auth: psk: key: MTU5YzA4Y2ZkNzJoMQ==1 iss: ["quay"] # tracing and metrics trace: name: "jaeger" probability: 1 jaeger: agent_endpoint: "localhost:6831" service_name: "clair" metrics: name: "prometheus"- 1
- 要生成 Clair 预共享密钥(PSK),请在用户界面的安全扫描器部分中启用
扫描,然后点Generate PSK。
有关 Clair 配置格式的更多信息,请参阅上游 Clair 文档。
从 Clair
config.yaml创建 secret:$ oc create secret generic clairv4-config-secret --from-file=./config.yaml创建 Clair v4 部署文件(例如,
clair-combo.yaml),并根据需要进行修改:clair-combo.yaml
--- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: quay-component: clair-combo name: clair-combo spec: replicas: 1 selector: matchLabels: quay-component: clair-combo template: metadata: labels: quay-component: clair-combo spec: containers: - image: registry.redhat.io/quay/clair-rhel8:v3.5.71 imagePullPolicy: IfNotPresent name: clair-combo env: - name: CLAIR_CONF value: /clair/config.yaml - name: CLAIR_MODE value: combo ports: - containerPort: 8080 name: clair-http protocol: TCP - containerPort: 8089 name: clair-intro protocol: TCP volumeMounts: - mountPath: /clair/ name: config imagePullSecrets: - name: redhat-pull-secret restartPolicy: Always volumes: - name: config secret: secretName: clairv4-config-secret --- apiVersion: v1 kind: Service metadata: name: clairv42 labels: quay-component: clair-combo spec: ports: - name: clair-http port: 80 protocol: TCP targetPort: 8080 - name: clair-introspection port: 8089 protocol: TCP targetPort: 8089 selector: quay-component: clair-combo type: ClusterIP- 1
- 将镜像更改为最新的 clair 镜像名称和版本。
- 2
- 将 Service 设置为 clairv4 时,Clair v4 的扫描程序端点稍后会在
SECURITY_SCANNER_SCANNER_V4_ENDPOINT中的 Red Hat Quay config.yaml 中输入为http://clairv4。
创建 Clair v4 部署,如下所示:
$ oc create -f ./clair-combo.yaml修改 Red Hat Quay 部署的
config.yaml文件,以在末尾添加以下条目:FEATURE_SECURITY_SCANNER: true SECURITY_SCANNER_V4_ENDPOINT: http://clairv41 - 1
- 识别 Clair v4 服务端点
将修改后的
config.yaml重新部署到包含该文件的 secret (如quay-enterprise-config-secret:$ oc delete secret quay-enterprise-config-secret $ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml-
要使新的
config.yaml生效,您需要重启 Red Hat Quay pod。只需删除quay-apppod 会导致部署具有更新的配置的 pod。
此时,在命名空间白名单中标识的任何机构中的镜像将被 Clair v4 扫描。
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}