MCPcopy Index your code
hub / github.com/banzaicloud/anchore-image-validator

github.com/banzaicloud/anchore-image-validator @0.5.6

Chat with this repo
repository ↗ · DeepWiki ↗ · release 0.5.6 ↗ · + Follow
47 symbols 129 edges 14 files 28 documented · 60% updated 3y ago0.5.6 · 2022-03-01★ 441 open issues

Browse by type

Functions 31 Types & classes 16
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Go Report Card license Docker Automated build

Anchore Image Validator

Anchore Image Validator lets you automatically detect or block security issues just before a Kubernetes pod starts.

This repository contains an admission webhook server that can be configured as a ValidatingWebhook in a k8s cluster. Kubernetes will send requests to the admission server when a Pod creation is initiated. The server checks the image defined in the pod specification using the configured Anchore-engine API. If the result indicates that the image does not comply with the defined policy, k8s will reject the Pod creation request.

  • If an image is not valid, the release can be added to a whitelist resource (CRD) to bypass the blocking.
  • The results of image checks are stored as an audit resource (CRD) in a sructured format.

Installing

Helm install

Install from banzaicloud-stable repository

Add repository

$ helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com/
$ helm repo update

Install chart

$ helm install --set externalAnchore.anchoreHost=<my.anchore.host>  --set externalAnchore.anchoreUser=<username> --set externalAnchore.anchorePass=<password> banzaicloud-stable/anchore-policy-validator

Manual install

For manual install you need to define the following environment variables

ENV Descripton
ANCHORE_ENGINE_USERNAME Anchore-engine username
ANCHORE_ENGINE_PASSWORD Anchore-engine password
ANCHORE_ENGINE_URL Anchore-engine URL

Accessing banzaicloud security features via Kubernetes api:

$ curl http://<k8s apiserver>/apis/security.banzaicloud.com/v1alpha1
{
  "kind": "APIResourceList",
  "apiVersion": "v1",
  "groupVersion": "security.banzaicloud.com/v1alpha1",
  "resources": [
    {
      "name": "whitelistitems",
      "singularName": "whitelistitem",
      "namespaced": false,
      "kind": "WhiteListItem",
      "verbs": [ ... ],
      "shortNames": [
        "wl"
      ]
    },
    {
      "name": "audits",
      "singularName": "audit",
      "namespaced": false,
      "kind": "Audit",
      "verbs": [ ... ]
    }
  ]
}

Resources accessible via kubectl command:

$ kubectl get whitelist
$ kubectl get audit

Example whitelist:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  WhiteListItem
metadata:
  name: <name of helm release>
spec:
  reason: <whitelisting reason>
  creator: <creator>
  [regexp:] <optional>

Example audit:

apiVersion: security.banzaicloud.com/v1alpha1
kind:  Audit
metadata:
  name: <name of audit (generated from Pod OwnerReference)>
  ownerReferences:
  - <scanned Pod OwnerReference>
spec:
  releaseName: <helm release name>
  resource: pod
  image:
    - imageName": "docker.io/image-name1",
      imageTag": "latest",
      imageDigest": "sha256:abcd1",
      lastUpdated": "2018-11-11T14:35:38Z"
    - imageName": "docker.io/image-name2",
      imageTag": "latest",
      imageDigest": "sha256:abcd2",
      lastUpdated": "2018-11-11T14:35:38Z"
  result:
    - <docker.io/image-name1 scan result>
    - <docker.io/image-name1 scan result>
  action: <allow or reject>
status:
  [state:] <optional>

Core symbols most depended-on inside this repo

Shape

Function 24
Struct 16
Method 7

Languages

Go100%

Modules by API surface

pkg/apis/security/v1alpha1/types.go8 symbols
pkg/anchore/client.go7 symbols
pkg/apis/security/v1alpha1/deepcopy.go6 symbols
internal/app/handler.go6 symbols
internal/app/app.go5 symbols
pkg/anchore/types.go3 symbols
cmd/main.go3 symbols
internal/log/logger.go2 symbols
internal/app/validate.go2 symbols
cmd/config.go2 symbols
pkg/apis/security/v1alpha1/register.go1 symbols
internal/log/config.go1 symbols

For agents

$ claude mcp add anchore-image-validator \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page