第 7 章 Clair 安全扫描
Clair 是一组可与 Red Hat Quay 一起使用的微服务,用于对与一组 Linux 操作系统关联的容器镜像进行漏洞扫描。Clair 的微服务设计使其适合在高度可扩展的配置中运行,可根据企业环境单独扩展组件。
Clair 使用以下漏洞数据库扫描镜像中的问题:
- alpine SecDB 数据库
- AWS UpdateInfo
- Debian Oval 数据库
- Oracle Oval 数据库
- RHEL Oval 数据库
- SUSE Oval 数据库
- Ubuntu Oval 数据库
- Pyup.io(python)数据库
如需有关 Clair 如何使用不同数据库进行安全映射的信息,请参阅 ClairCore Severity Mapping。
在 Red Hat Quay 3.4 发行版本中,新的 Clair V4(镜像 registry.redhat.io/quay/clair-rhel8 将完全取代前面的 Clair V2(image quay.io/redhat/clair-jwt))。有关在 V4 更新期间如何以只读模式运行 V2。
7.1. 在 Red Hat Quay OpenShift 部署上设置 Clair
7.1.1. 部署 Via Quay Operator
要在 OpenShift 上的新 Red Hat Quay 部署上设置 Clair V4,强烈建议使用 Quay Operator。默认情况下,Quay Operator 将安装或升级 Clair 部署以及 Red Hat Quay 部署,并自动配置 Clair 安全扫描。
7.1.2. 手动部署 Clair
要在运行 Clair V2 的现有 Red Hat Quay OpenShift 部署中配置 Clair V4,首先确保 Red Hat Quay 已升级至版本 3.4.0。然后,使用以下步骤手动设置 Clair V4 和 Clair V2。
将当前项目设置为运行 Red Hat Quay 的项目的名称。例如:
$ oc project quay-enterprise
为 Clair v4 创建 Postgres 部署文件(例如,cl
airv4-postgres.yaml)如下所示。clairv4-postgres.yaml
--- apiVersion: apps/v1 kind: Deployment metadata: name: clairv4-postgres namespace: quay-enterprise labels: quay-component: clairv4-postgres spec: replicas: 1 selector: matchLabels: quay-component: clairv4-postgres template: metadata: labels: quay-component: clairv4-postgres spec: volumes: - name: postgres-data persistentVolumeClaim: claimName: clairv4-postgres containers: - name: postgres image: postgres:11.5 imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 env: - name: POSTGRES_USER value: "postgres" - name: POSTGRES_DB value: "clair" - name: POSTGRES_PASSWORD value: "postgres" - name: PGDATA value: "/etc/postgres/data" volumeMounts: - name: postgres-data mountPath: "/etc/postgres" --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "5Gi" volumeName: "clairv4-postgres" --- apiVersion: v1 kind: Service metadata: name: clairv4-postgres labels: quay-component: clairv4-postgres spec: type: ClusterIP ports: - port: 5432 protocol: TCP name: postgres targetPort: 5432 selector: quay-component: clairv4-postgres按如下方式部署 postgres 数据库:
$ oc create -f ./clairv4-postgres.yaml
创建 Clair
config.yaml文件,以用于 Clair v4。例如:config.yaml
introspection_addr: :8089 http_listen_addr: :8080 log_level: debug indexer: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable scanlock_retry: 10 layer_scan_concurrency: 5 migrations: true matcher: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable max_conn_pool: 100 run: "" migrations: true indexer_addr: clair-indexer notifier: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable delivery: 1m poll_interval: 5m migrations: true auth: psk: key: MTU5YzA4Y2ZkNzJoMQ== 1 iss: ["quay"] # tracing and metrics trace: name: "jaeger" probability: 1 jaeger: agent_endpoint: "localhost:6831" service_name: "clair" metrics: name: "prometheus"- 1
- 要生成 Clair 预共享密钥(PSK),请在
用户界面的 Security Scanner 部分中启用扫描,并点Generate PSK。
如需有关 Clair 的配置格式的更多信息,请参阅上游 Clair 文档。
从 Clair
config.yaml创建 secret:$ oc create secret generic clairv4-config-secret --from-file=./config.yaml
创建 Clair v4 部署文件(例如,cl
air-combo.yaml),并根据需要修改它:clair-combo.yaml
--- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: quay-component: clair-combo name: clair-combo spec: replicas: 1 selector: matchLabels: quay-component: clair-combo template: metadata: labels: quay-component: clair-combo spec: containers: - image: registry.redhat.io/quay/clair-rhel8:v3.7.13 1 imagePullPolicy: IfNotPresent name: clair-combo env: - name: CLAIR_CONF value: /clair/config.yaml - name: CLAIR_MODE value: combo ports: - containerPort: 8080 name: clair-http protocol: TCP - containerPort: 8089 name: clair-intro protocol: TCP volumeMounts: - mountPath: /clair/ name: config imagePullSecrets: - name: redhat-pull-secret restartPolicy: Always volumes: - name: config secret: secretName: clairv4-config-secret --- apiVersion: v1 kind: Service metadata: name: clairv4 2 labels: quay-component: clair-combo spec: ports: - name: clair-http port: 80 protocol: TCP targetPort: 8080 - name: clair-introspection port: 8089 protocol: TCP targetPort: 8089 selector: quay-component: clair-combo type: ClusterIP创建 Clair v4 部署,如下所示:
$ oc create -f ./clair-combo.yaml
修改 Red Hat Quay 部署的
config.yaml文件,以在末尾添加以下条目:FEATURE_SECURITY_NOTIFICATIONS: true FEATURE_SECURITY_SCANNER: true SECURITY_SCANNER_V4_ENDPOINT: http://clairv4 1- 1
- 识别 Clair v4 服务端点
将修改后的
config.yaml重新部署到包含该文件的 secret 中(如quay-enterprise-config-secret:$ oc delete secret quay-enterprise-config-secret $ oc create secret generic quay-enterprise-config-secret --from-file=./config.yaml
-
要使新的
config.yaml生效,您需要重启 Red Hat Quay Pod。只需删除quay-apppod 即可完成部署有更新的配置的 pod。
此时,在命名空间白名单中标识的任何机构中的镜像将由 Clair v4 进行扫描。
