《OpenShift 4.x HOL教程汇总》
说明:本文已在OpenShift 4.9环境中得到验证
文章目录Clair是什么? OpenShift安装在Clair环境中安装Clair客户端,并使用Clair扫描容器镜像
什么是Clair?
Clair最初是酷睿OS公司开发的容器镜像漏洞扫描工具。 随后,酷睿操作系统被Red Hat收购,Clair成为Red Hat主导的容器镜像安全漏洞扫描开源软件。
作为开源软件,Clair可以单独运行,也可以与其他软件集成运行。 红帽镜像注册产品Quay具有内置的Clair作为镜像库扫描软件。
在OpenShift上安装Clair环境并创建项目$ oc new-project quay-enterpriseclairv4- postgres.YAML文件,内容--API version 330 v1 kind :部署元数据: name : clairv4- postgres namespace : quay-enterprise labels 3360 quay-component 3360 clay tch labels : quay-component : clairv4- postgres template 3360 metadata : labels 3360 quay-33604- postgres spec 3: volumec sistentvolumeclaim 3360 claim name : clairv4- postgres container gres image : postgres :11.5 imagepullpolicy 3360 ' if not prest CPU : '2' memory :6 gi request ' memory :4 giports :-container port :5432 env 3360-name 3: postgres _ u user var name 3360 IR '-name : postgres _ password value : ' postgres '-name : pgdatavalue 3360 '/etc/postgres/数据卷3360-name : postgres-datamountpath : '/etc/postgres '---API version : v1 kind : persistentvolumeclaimmetadata : name : clairv4- postgres labels 3360 quay-come write once ' resources 3360 requests 3360 storage : ' 10gi ' volumename : ' clair v4-post TIR $ oc create-fclairv4- postgree introspection _ addr 336033608089 http _ listen _ addr 336033608080 log _ level : debug indexer 3360 connstring 3360 HR dname=clllled de=disablescanlock _ retry 336010 layer _ scan _ concurrency 33605 migg string : host=clair v4-postgres port=5432 dbname
"" migrations: true indexer_addr: clair-indexernotifier: connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable delivery: 1m poll_interval: 5m migrations: true 执行命令,根据 config.yaml 文件创建 secret 。 $ oc create secret generic clairv4-config-secret --from-file=./config.yaml 创建 clair-combo.yaml 文件,内容如下: ---apiVersion: apps/v1kind: Deploymentmetadata: labels: quay-component: clair-combo name: clair-combospec: replicas: 1 selector: matchLabels: quay-component: clair-combo template: metadata: labels: quay-component: clair-combo spec: containers: - image: quay.io/projectquay/clair:4.1.0 imagePullPolicy: IfNotPresent name: clair-combo env: - name: CLAIR_CONF value: /clair/config.yaml - name: CLAIR_MODE value: combo ports: - containerPort: 8080 name: clair-http protocol: TCP - containerPort: 8089 name: clair-intro protocol: TCP volumeMounts: - mountPath: /clair/ name: config imagePullSecrets: - name: redhat-pull-secret restartPolicy: Always volumes: - name: config secret: secretName: clairv4-config-secret---apiVersion: v1kind: Servicemetadata: name: clairv4 labels: quay-component: clair-combospec: ports: - name: clair-http port: 80 protocol: TCP targetPort: 8080 - name: clair-introspection port: 8089 protocol: TCP targetPort: 8089 selector: quay-component: clair-combo type: ClusterIP 执行命令,根据 clair-combo.yaml 文件创建对象。 $ oc apply -f clair-combo.yaml $ oc expose svc/clairv4 查看部署的资源 $ oc get allNAME READY STATUS RESTARTS AGEpod/clair-combo-6754dcfd75-wwbt9 1/1 Running 0 34spod/clairv4-postgres-b9f679dc6-fhmcs 1/1 Running 0 2m51sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/clairv4 ClusterIP 10.217.4.159 <none> 80/TCP,8089/TCP 34sservice/clairv4-postgres ClusterIP 10.217.5.64 <none> 5432/TCP 119sNAME READY UP-TO-DATE AVAILABLE AGEdeployment.apps/clair-combo 1/1 1 1 34sdeployment.apps/clairv4-postgres 1/1 1 1 2m51sNAME DESIRED CURRENT READY AGEreplicaset.apps/clair-combo-6754dcfd75 1 1 1 34sreplicaset.apps/clairv4-postgres-b9f679dc6 1 1 1 2m51sNAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARDroute.route.openshift.io/clairv4 clairv4-quay-enterprise.crc-dzk9v-master-0.crc.fa7bdknrdb3y.instruqt.io clairv4 clair-http None 安装 Clair 客户端从 https://github.com/quay/clair/releases 下载 Clair 客户端。
$ curl -L https://github.com/quay/clair/releases/download/v4.3.5/clairctl-linux-amd64 -o ~/clairctl$ chmod +x clairctl$ PATH=$PATH:~/ 使用 Clair 对容器镜像进行扫描 $ CLAIR_HOST=http://$(oc get route clairv4 -o jsonpath={.spec.host})$ clairctl report -host ${CLAIR_HOST} redhat/ubi8$ clairctl report -host ${CLAIR_HOST} redhat/ubi8:8.4-206 参考https://quay.github.io/clair/whatis.html
https://github.com/rhthsa/openshift-demo/blob/main/clair4-on-ocp.md