Scanning pods for vulnerabilities

    • Watches containers associated with pods on all or specified namespaces

    • Queries the container registry where the containers came from for vulnerability information, provided an image’s registry is running image scanning (such as Quay.io or a registry with Clair scanning)

    • Exposes vulnerabilities via the object in the Kubernetes API

    Using the instructions here, the CSO is installed in the openshift-operators namespace, so it is available to all namespaces on your OKD cluster.

    You can start the Container Security Operator from the OKD web console by selecting and installing that Operator from the Operator Hub, as described here.

    Prerequisites

    • Have administrator privileges to the OKD cluster

    Procedure

    1. Navigate to OperatorsOperatorHub and select Security.

    3. Check the settings. All namespaces and automatic approval strategy are selected, by default.

    4. Select Install. The Container Security Operator appears after a few moments on the Installed Operators screen.

    5. Optional: You can add custom certificates to the CSO. In this example, create a certificate named in the current directory. Then run the following command to add the cert to the CSO:

    6. If you added a custom certificate, restart the Operator pod for the new certs to take effect.

    7. You can do one of two things at this point to follow up on any detected vulnerabilities:

      • Select the link to the vulnerability. You are taken to the container registry that the container came from, where you can see information about the vulnerability. The following figure shows an example of detected vulnerabilities from a Quay.io registry:

      • Select the namespaces link to go to the ImageManifestVuln screen, where you can see the name of the selected image and all namespaces where that image is running. The following figure indicates that a particular vulnerable image is running in the quay-enterprise namespace:

    At this point, you know what images are vulnerable, what you need to do to fix those vulnerabilities, and every namespace that the image was run in. So you can:

    • Alert anyone running the image that they need to correct the vulnerability

    • Stop the images from running by deleting the deployment or other object that started the pod that the image is in

    Note that if you do delete the pod, it may take several minutes for the vulnerability to reset on the dashboard.

    Querying image vulnerabilities from the CLI

    Using the command, you can display information about vulnerabilities detected by the Container Security Operator.

    Prerequisites

    • Be running the Container Security Operator on your OKD instance

    Procedure

    • To display details for a particular vulnerability, provide the vulnerability name and its namespace to the oc describe command. This example shows an active container whose image includes an RPM package with a vulnerability: