Use the Security scan integrated service to automatically check the images used in your pods before they are deployed. That way you can prevent deploying pods that contain known security vulnerabilities, based on the Common Vulnerabilities and Exposures (CVE) database. Read a more detailed overview.

Limitations 🔗︎

  • By default, the security scan integrated service uses a public installation of the Anchore engine, and updates its CVE database every 4 hours. If you want to have more frequent database updates, you have to use your own local or external Anchore installation.
  • Pods that are already running when the Security scan integrated service is activated are not scanned. You can manually start a scan for a specific image, but there is no automatic notification of its result. If you want to receive notifications, you have to use your own Anchore installation. Contact us for details.
  • To scan private image registries, you have to use your own Anchore installation. Contact us for details.
  • To avoid halting the cluster in case of a problem, the kubesystem and pipeline-system namespaces are not scanned.
  • The Anchore engine (or the Ingress that terminates incoming connections for the Anchore engine) must have a valid TLS certificate, otherwise the image scans will fail.

Activate the Security scan integrated service 🔗︎

Open a shell and run the following command:

% banzai cluster service securityscan activate

Complete the interactive wizard, or specify the options in a file or on standard input:

% banzai cluster service securityscan activate <<EOF
{
  "policy": {
    "policyId": "97b33e2c-3b57-4a3f-a12b-a8c0daa472a0"
  }
}
EOF

You can use a full JSON specification for more options like a custom registry or the anchore-image-validator parameters:

% banzai cluster service securityscan activate <<EOF
{
    "policy": {
        "policyId": "allow_all_and_warn"
    },
    "webhookConfig": {
        "enabled": true,
        "selector": "include",
        "namespaces": [
            "*"
        ]
    },
    "registry": {
        "registry": "docker.pkg.github.com",
        "secretId": "7a819d477093fa918d5e160d889745e5b00a381497f689d8183be75f53c4f76c",
        "insecure": false
    }
}
EOF

The "secretId" attribute has to reference a password type Secret already registered for the organization which holds the username and password for the given registry.

Deactivate the Security scan integrated service 🔗︎

Open a shell and run the following command:

% banzai cluster service securityscan deactivate

Whitelist images 🔗︎

If you want to use a strict policy, and whitelist selected images (for example, use the BlockRoot policy, but permit the admission of an image even though it uses root privileges), you must create a custom resource and submit it to Kubernetes. For details, see Whitelist images.