Month: March 2018

How to integrate Kubernetes with Anchore Engine

Posted on by Christian Wiens

By integrating Anchore and Kubernetes you can ensure that only trusted and secure images are deployed and run in your Kubernetes environment

Overview

Anchore provides the ability to inspect, query, and apply policies to container images prior to deployment in your private container registry, ensuring that only images that meet your organization’s policies are deployed in your Kubernetes environment.

Anchore can be integrated with Kubernetes using admission controllers to ensure that images are validated before being launched. This ensures that images that fall out of compliance, for example, due to new security vulnerabilities discovered, can be blocked from running within your environment. Anchore can be deployed standalone or as a service running within your Kubernetes environment.

Getting Started with Integration

How to Integrate Anchore and Kubernetes

We have recently packaged the Anchore Engine as a Helm Chart to simplify deployment on Kubernetes. Now Anchore can be installed in a highly scalable environment with a single command.

Within 3 minutes you can have an Anchore Engine installed and running in your Kubernetes environment. The following guide requires:

  • A running Kubernetes Cluster
  • kubectl configured to access your Kubernetes cluster
  • Helm binary installed and available in your path

Tiller, the server side component of Helm, should be installed in your Kubernetes cluster. To installer Tiller run the following command:

$ helm init
$HELM_HOME has been configured at /home/username/.helm
Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
⎈ Happy Helming! ⎈

If Tiller has already been installed you will receive a warning messaging that can safely be ignored.

Next we need to ensure that we have an up to date list of Helm Charts.

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈

By default, the Anchore Engine chart will deploy an Anchore Engine container along with a PostgreSQL database container however this behavior can be overridden if you have an existing PostgreSQL service available.

In addition to the database the chart creates two deployments

  • Cores Services: The core services deployment includes the external api, notification service, kubernetes webhook, catalog and queuing service.
  • Worker: The worker service runs the image analysis and can be scaled up to handle concurrent evaluation of images.

In this example we will deploy the database, core services and a single worker. Please refer to the documentation for more sophisticated deployments including scaling worker nodes.

The installation can be completed with a single command:

$ helm install --name anchore-demo stable/anchore-engine

Read the Documentation

Read the documentation on Anchore integration with Jenkins and get started with the integration.

Jenkins + Anchore

Posted on by Christian Wiens

Anchore has been designed to plug seamlessly into your container-based CI/CD pipeline to add analytics, compliance and governance to your workflow.

Overview

Using Anchore’s freely available and open source Jenkins plugin you can secure your Jenkins CI/CD pipeline in less than 30 minutes.

By adding image scanning, including not just CVE based security scans but policy-based scans that can include checks around security, compliance and operational best practices, you can ensure only trusted vetted container images make it into production with Anchore.

Getting Started with the Integration

How to integrate Anchore and Jenkins

Anchore has published a plugin for Jenkins which, along with Anchore’s open source engine or Enterprise offering, allows container analysis and governance to be added quickly into the CI/CD process.

The following guide will allow you to add image scanning and analysis into your CI/CD process in less time than it has already taken to read this blog post!

Requirements

This guide presumes the following prerequisites have been met:

– Jenkins 2.x running on a virtual machine or physical server
– Each Jenkins node should have Docker 1.10 or higher installed.
– Anchore’s Jenkins plugin can work with single node installations or installations with multiple worker nodes.

Notes

– Docker should be configured to allow the Jenkins user to run Docker commands either directly or through the use of sudo.
– For most platforms you can simply add the Jenkins user to the docker group in /etc/group.
– For Red Hat based systems using Red Hat’s Docker distribution rather than Docker Inc. then typically the use of sudo is required.
– To use sudo ensure that the Jenkins user is part of the wheel group in /etc/group and ensure that requiretty is not set in /etc/sudoers.

Read the Documentation

Read the documentation on Anchore integration with Jenkins and get started with the integration.