The only currently supported backend for vulnerability data is the Google Cloud Container Analysis API. You will need access to it, along with:
- Google Cloud account with billing enabled
- Google Cloud SDK (gcloud)
- Kubernetes 1.9.2+
- GnuPG
Follow the prompts at Google Cloud Console: New Project.
For convenience, save the project ID as an environment variable:
PROJECT=<project ID assigned to you>
Configure gcloud
to use the correct project.
gcloud config set project $PROJECT
If you do not know your project ID, you may use:
gcloud projects list
Enable the necessary API's:
Enable the Container Analysis API:
gcloud services enable containeranalysis.googleapis.com
Enable the Kubernetes API:
gcloud services enable container.googleapis.com
Enable the Container Registry API:
gcloud services enable containerregistry.googleapis.com
Wait for the above API's to be fully enabled, then ensure vulnerability scanning is enabled.
For more documentation, see Container Analysis Overview.
kritis requires a cluster running Kubernetes v1.9.2 or newer. You may create one named kritis-test
by executing:
gcloud components update
gcloud config set compute/zone us-central1-a
gcloud container clusters create kritis-test --num-nodes=2
After creating your cluster, you need to get authentication credentials to interact with the cluster. This command will also configure kubectl
for your newly created cluster:
gcloud container clusters get-credentials kritis-test
For more documentation, see Kubernetes Engine: Creating a Cluster.
This creates a service account named kritis-ca-admin
:
gcloud iam service-accounts create kritis-ca-admin \
--display-name "Kritis Service Account"
Which must be bound to the appropriate roles:
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com \
--role=roles/containeranalysis.notes.viewer
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com \
--role=roles/containeranalysis.notes.editor
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com \
--role=roles/containeranalysis.occurrences.viewer
gcloud projects add-iam-policy-binding $PROJECT \
--member=serviceAccount:kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com \
--role=roles/containeranalysis.occurrences.editor
Download the service key from Google Cloud:
gcloud iam service-accounts keys create gac.json \
--iam-account kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com
Then upload the service key to your Kubernetes cluster:
kubectl create secret generic gac-ca-admin --from-file=gac.json
Install helm, and execute the following to create an account for helm in your cluster:
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-role \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
Then deploy helm:
helm init --wait --service-account tiller
Install the resolve-tags
kubectl plugin and binary:
curl -LO https://storage.googleapis.com/resolve-tags/latest/resolve-tags-darwin-amd64.tar.gz && \
RESOLVE_TAGS_DIR=$HOME/.kube/plugins/resolve && \
mkdir -p $RESOLVE_TAGS_DIR && tar -C $RESOLVE_TAGS_DIR -xzf resolve-tags-darwin-amd64.tar.gz && \
mv $RESOLVE_TAGS_DIR/resolve-tags-darwin-amd64 $RESOLVE_TAGS_DIR/resolve-tags && \
sudo cp $RESOLVE_TAGS_DIR/resolve-tags /usr/local/bin/
curl -LO https://storage.googleapis.com/resolve-tags/latest/resolve-tags-linux-amd64.tar.gz && \
RESOLVE_TAGS_DIR=$HOME/.kube/plugins/resolve && \
mkdir -p $RESOLVE_TAGS_DIR && tar -C $RESOLVE_TAGS_DIR -xzf resolve-tags-linux-amd64.tar.gz && \
mv $RESOLVE_TAGS_DIR/resolve-tags-linux-amd64 $RESOLVE_TAGS_DIR/resolve-tags && \
sudo cp $RESOLVE_TAGS_DIR/resolve-tags /usr/local/bin/
For more information, please see the resolve-tags documentation.
Install kritis to your cluster:
helm install https://storage.googleapis.com/kritis-charts/repository/kritis-charts-0.1.0.tgz
You may use the --set flag, to override the installation defaults:
Value | Default | Description |
---|---|---|
serviceNamespace | default | namespace to install kritis within |
gacSecret.name | gac-ca-admin | name of the secret created above with container analysis permissions |
The kritis installation will create 3 pods:
kritis-preinstall
creates aCertificateSigningRequest
and TLS Secret for the webhookkritis-postinstall
creates theValidatingWebhookConfiguration
kritis-validation-hook-xxx
serves the webhook
The deployment status may be viewed using:
kubectl get pods
Sample output:
NAME READY STATUS RESTARTS AGE
kritis-postinstall 0/1 Completed 0 2m
kritis-preinstall 0/1 Completed 0 2m
kritis-validation-hook-7c84c48f47-lsjpg 1/1 Running 0 2m
The installation is complete once:
kritis-preinstall
andkritis-postinstall
have statusCompleted
kritis-validation-hook-xxx
isRunning
Once installed, follow our tutorial to learn how to test and manage Kritis.
Find the name of your helm release to delete:
helm ls
example:
NAME REVISION UPDATED STATUS CHART NAMESPACE
loopy-numbat 1 Fri Jul 27 14:25:44 2018 DEPLOYED kritis-0.1.0 default
Then delete the name of the release:
helm delete <name>
name
in this case is loopy-numbat
.
This command will also kick off the kritis-predelete
pod, which deletes the CertificateSigningRequest, TLS Secret, and Webhooks created during installation. You may view the status using:
kubectl get pods kritis-predelete
And the logs using:
kubectl logs kritis-predelete
Most resources created by kritis will be deleted from your cluster once this Pod has reached Completed
status.
To delete the remaining resources, run:
kubectl delete pods,serviceaccount,clusterrolebinding \
--selector kritis.grafeas.io/install \
--namespace <your namespace>
If you did not specifically select a namespace during installation, the default value is default
.
NOTE: This will not delete the container analysis secret created above.
If you're unable to install or delete kritis, looking at logs for the following pods could provide more information:
kritis-validation-hook-xxx
kritis-preinstall
(during installation)kritis-postinstall
(during installation)kritis-predelete
(during deletion)
You can view their status using:
kubectl get pods
If you're unable to delete kritis via helm delete <DEPLOYMENT NAME>
, you can manually delete all kritis resources with the following commands:
kubectl delete all,validatingwebhookconfiguration,serviceaccount,secret,csr,crd \
--selector kritis.grafeas.io/install \
--namespace <your namespace>
You should then be able to delete the helm deployment with
helm delete [deployment name] --no-hooks