Anchore + Kubernetes
By integrating Anchore and Kubernetes you can ensure that only trusted and secure images are deployed and run in your Kubernetes environment
Anchore provides the ability to inspect, query, and apply policies to container images prior to deployment in your private container registry, ensuring that only images that meet your organization’s policies are deployed in your Kubernetes environment.
Anchore can be integrated with Kubernetes using admission controllers to ensure that images are validated before being launched. This ensures that images that fall out of compliance, for example due to new security vulnerabilities discovered, can be blocked from running within your environment. Anchore can be deployed standalone or as a service running within your Kubernetes environment.
1. Install Anchore with Helm
We have recently packaged the Anchore Engine as a Helm Chart to simplify deployment on Kubernetes. Now Anchore can be installed in a highly scalable environment with a single command.
Within 3 minutes you can have an Anchore Engine installed and running in your Kubernetes environment. The following guide requires:
- A running Kubernetes Cluster
- kubectl configured to access your Kubernetes cluster
- Helm binary installed and available in your path
Tiller, the server side component of Helm, should be installed in your Kubernetes cluster. To installer Tiller run the following command:
$ helm init $HELM_HOME has been configured at /home/username/.helm Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster. ⎈ Happy Helming! ⎈
If Tiller has already been installed you will receive a warning messaging that can safely be ignored.
Next we need to ensure that we have an up to date list of Helm Charts.
$ helm repo update Hang tight while we grab the latest from your chart repositories... ...Skip local chart repository ...Successfully got an update from the "stable" chart repository Update Complete. ⎈ Happy Helming!⎈
By default, the Anchore Engine chart will deploy an Anchore Engine container along with a PostgreSQL database container however this behavior can be overridden if you have an existing PostgreSQL service available.
In addition to the database the chart creates two deployments
- Cores Services: The core services deployment includes the external api, notification service, kubernetes webhook, catalog and queuing service.
- Worker: The worker service runs the image analysis and can be scaled up to handle concurrent evaluation of images.
In this example we will deploy the database, core services and a single worker. Please refer to the documentation for more sophisticated deployments including scaling worker nodes.
The installation can be completed with a single command:
$ helm install --name anchore-demo stable/anchore-engine