Starboard Operatorを試してみたメモ。
StarboardはCLIとOperatorとある。
導入
インストールはマニフェスト、Helm、Operator Lifecycle Managerによる方法がある。ここではHelmでインストールする。
helm repo add aqua https://aquasecurity.github.io/helm-charts/ helm repo update helm upgrade --install starboard-operator aqua/starboard-operator \ -n starboard-operator --create-namespace \ --set=targetNamespaces="" \ --version 0.5.3
オペレーターにECRの読み取り権限を与える。
eksctl create iamserviceaccount \ --name starboard-operator \ --namespace starboard-operator \ --cluster staging \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ --approve \ --override-existing-serviceaccounts
GitHubのレートリミットを避けるため、パーソナルアクセストークンを作成して設定する。権限は不要。
GITHUB_TOKEN=<your token> kubectl patch secret starboard -n starboard-operator \ --type merge \ -p "$(cat <<EOF { "data": { "trivy.githubToken": "$(echo -n $GITHUB_TOKEN | base64)" } } EOF )"
念のため一度Podを削除。
k delete pod -n starboard-operator --all
Podを確認する。
$ k get pod -n starboard-operator NAME READY STATUS RESTARTS AGE starboard-operator-7fff5747c4-zwp59 1/1 Running 0 55s
スキャン
脆弱性スキャンの結果を確認する。
$ kubectl get vulnerabilityreports -o wide -A NAMESPACE NAME REPOSITORY TAG SCANNER AGE CRITICAL HIGH MEDIUM LOW UNKNOWN argocd replicaset-argocd-dex-server-5dd657bd9-dex dexidp/dex v2.27.0 Trivy 80s 0 9 8 3 0 argocd replicaset-argocd-dex-server-66ff89cb7b-dex dexidp/dex v2.27.0 Trivy 111s 0 9 8 3 0 argocd replicaset-argocd-dex-server-fd74c7c8c-dex dexidp/dex v2.27.0 Trivy 110s 0 9 8 3 0 argocd replicaset-argocd-redis-66b48966cb-redis library/redis 5.0.10-alpine Trivy 56s 0 5 2 0 0 argocd replicaset-argocd-redis-759b6bc7f4-redis library/redis 6.2.1-alpine Trivy 112s 0 0 0 0 0 argocd replicaset-argocd-repo-server-6c495f858f-argocd-repo-server argoproj/argocd v2.0.0 Trivy 28s 0 6 43 110 0 argocd replicaset-argocd-repo-server-79d884f4f6-argocd-repo-server argoproj/argocd v1.8.2 Trivy 40s 4 138 95 471 5 argocd replicaset-argocd-repo-server-84d58ff546-argocd-repo-server argoproj/argocd v2.0.1 Trivy 81s 0 3 38 108 0 argocd replicaset-argocd-server-6dccb89f65-argocd-server argoproj/argocd v1.8.2 Trivy 35s 4 138 95 471 5 argocd replicaset-argocd-server-7fd556c67c-argocd-server argoproj/argocd v2.0.1 Trivy 2m51s 0 3 38 108 0 argocd replicaset-argocd-server-859b4b5578-argocd-server argoproj/argocd v2.0.0 Trivy 2m29s 0 6 43 110 0 argocd statefulset-argocd-application-controller-argocd-application-controller argoproj/argocd v2.0.1 Trivy 2m53s 0 3 38 108 0 backend replicaset-backend-678944684b-backend backend 75994d8 Trivy 75s 2 22 11 74 0 backend replicaset-backend-7945cd669c-backend backend c65764f Trivy 3m23s 2 22 11 74 0 backend replicaset-backend-7d8b8f99cc-backend backend 9ac248f Trivy 80s 2 22 11 74 0 backend replicaset-backend-b68bc665c-backend backend 3d5f54d Trivy 2m28s 0 7 4 2 0 calico-system daemonset-calico-node-calico-node calico/node v3.17.1 Trivy 3m23s 0 0 0 0 0 calico-system replicaset-calico-kube-controllers-5d786d9bbc-calico-kube-controllers calico/kube-controllers v3.17.1 Trivy 110s 0 0 0 0 0 calico-system replicaset-calico-typha-74fdb8b6f-calico-typha calico/typha v3.17.1 Trivy 3m22s 0 0 0 0 0 cert-manager replicaset-cert-manager-649c5f88bc-cert-manager jetstack/cert-manager-controller v1.0.2 Trivy 2m26s 0 0 0 0 0 cert-manager replicaset-cert-manager-68ff46b886-cert-manager jetstack/cert-manager-controller v1.1.1 Trivy 82s 0 0 0 0 0 cert-manager replicaset-cert-manager-cainjector-7cdbb9c945-cert-manager jetstack/cert-manager-cainjector v1.1.1 Trivy 2m26s 0 0 0 0 0 cert-manager replicaset-cert-manager-cainjector-9747d56-cert-manager jetstack/cert-manager-cainjector v1.0.2 Trivy 2m51s 0 0 0 0 0 cert-manager replicaset-cert-manager-webhook-67584ff488-cert-manager jetstack/cert-manager-webhook v1.1.1 Trivy 3m22s 0 0 0 0 0 cert-manager replicaset-cert-manager-webhook-849c7b574f-cert-manager jetstack/cert-manager-webhook v1.0.2 Trivy 82s 0 0 0 0 0 default replicaset-nginx-6d4cf56db6-nginx library/nginx 1.16 Trivy 2m48s 13 45 29 92 0 default replicaset-nginx-db749865c-nginx library/nginx 1.17 Trivy 2m52s 13 43 27 92 0 external-secrets replicaset-external-secrets-56fbfc9687-kubernetes-external-secrets external-secrets/kubernetes-external-secrets 7.2.1 Trivy 2m47s 0 0 0 0 0 external-secrets replicaset-external-secrets-658cc9b744-kubernetes-external-secrets godaddy/kubernetes-external-secrets 6.0.0 Trivy 3m18s 0 12 9 2 0 external-secrets replicaset-external-secrets-69444c8577-kubernetes-external-secrets external-secrets/kubernetes-external-secrets 6.1.0 Trivy 2m47s 0 10 9 2 0 external-secrets replicaset-external-secrets-7cfc59f6d7-kubernetes-external-secrets external-secrets/kubernetes-external-secrets 7.2.1 Trivy 2m51s 0 0 0 0 0 frontend replicaset-frontend-57b979f9bb-frontend frontend bc03a29 Trivy 2m26s 2 22 11 74 0 frontend replicaset-frontend-66bc7f9b57-frontend frontend 0845ad7 Trivy 110s 0 7 4 2 0 frontend replicaset-frontend-66d48f89df-frontend frontend 9f0263c Trivy 3m21s 2 22 11 74 0 frontend replicaset-frontend-675b6f8bfb-frontend frontend a12db35 Trivy 2m27s 2 22 11 74 0 frontend replicaset-frontend-7cc57c4fb4-frontend frontend 48aa94e Trivy 76s 2 22 11 74 0 frontend replicaset-frontend-844fb64db4-frontend frontend aa38612 Trivy 55s 2 22 11 74 0 frontend replicaset-frontend-dc89db794-frontend frontend 0845ad7 Trivy 112s 0 7 4 2 0 frontend replicaset-frontend-f487b9f88-frontend frontend 8b40ef7 Trivy 78s 2 22 11 74 0 gatekeeper-system replicaset-gatekeeper-audit-54b5f86d57-manager openpolicyagent/gatekeeper v3.3.0 Trivy 110s 0 0 0 0 0 gatekeeper-system replicaset-gatekeeper-controller-manager-5b96bd668-manager openpolicyagent/gatekeeper v3.3.0 Trivy 55s 0 0 0 0 0 kube-system daemonset-aws-node-aws-node amazon-k8s-cni v1.7.10-eksbuild.1 Trivy 3m20s 0 0 0 0 0 kube-system daemonset-kube-proxy-kube-proxy eks/kube-proxy v1.19.6-eksbuild.2 Trivy 3m20s 2 22 12 75 0 kube-system replicaset-aws-load-balancer-controller-85ff4bfbc7-controller amazon/aws-alb-ingress-controller v2.1.0 Trivy 52s 0 0 0 0 0 kube-system replicaset-aws-load-balancer-controller-dd979d56b-controller amazon/aws-alb-ingress-controller v2.1.3 Trivy 2m44s 0 0 0 0 0 kube-system replicaset-coredns-59847d77c8-coredns eks/coredns v1.8.0-eksbuild.1 Trivy 2m30s 0 0 0 0 0 kube-system replicaset-coredns-86f7d88d77-coredns eks/coredns v1.7.0-eksbuild.1 Trivy 111s 0 0 0 0 0 starboard-operator replicaset-starboard-operator-7fff5747c4-starboard-operator aquasec/starboard-operator 0.10.3 Trivy 110s 0 0 0 0 0 tigera-operator replicaset-tigera-operator-657cc89589-tigera-operator tigera/operator v1.13.2 Trivy 83s 0 0 0 0 0
構成スキャンの結果を確認する。
$ kubectl get configauditreports -o wide -A NAMESPACE NAME SCANNER AGE DANGER WARNING PASS argocd replicaset-argocd-dex-server-5dd657bd9 Polaris 25m 2 12 11 argocd replicaset-argocd-dex-server-66ff89cb7b Polaris 25m 2 12 11 argocd replicaset-argocd-dex-server-fd74c7c8c Polaris 25m 2 12 11 argocd replicaset-argocd-redis-66b48966cb Polaris 25m 1 8 8 argocd replicaset-argocd-redis-759b6bc7f4 Polaris 25m 1 8 8 argocd replicaset-argocd-repo-server-6c495f858f Polaris 25m 0 7 10 argocd replicaset-argocd-repo-server-79d884f4f6 Polaris 25m 1 7 9 argocd replicaset-argocd-repo-server-84d58ff546 Polaris 25m 0 7 10 argocd replicaset-argocd-server-6dccb89f65 Polaris 22m 1 7 9 argocd replicaset-argocd-server-7fd556c67c Polaris 25m 0 7 10 argocd replicaset-argocd-server-859b4b5578 Polaris 23m 0 7 10 argocd statefulset-argocd-application-controller Polaris 25m 0 7 10 backend replicaset-backend-678944684b Polaris 24m 1 9 7 backend replicaset-backend-7945cd669c Polaris 23m 1 9 7 backend replicaset-backend-7d8b8f99cc Polaris 24m 1 9 7 backend replicaset-backend-b68bc665c Polaris 22m 1 9 7 calico-system daemonset-calico-node Polaris 25m 4 11 10 calico-system replicaset-calico-kube-controllers-5d786d9bbc Polaris 23m 1 8 8 calico-system replicaset-calico-typha-74fdb8b6f Polaris 24m 1 9 7 cert-manager replicaset-cert-manager-649c5f88bc Polaris 23m 1 1 7 cert-manager replicaset-cert-manager-68ff46b886 Polaris 22m 1 1 7 cert-manager replicaset-cert-manager-cainjector-7cdbb9c945 Polaris 24m 1 1 7 cert-manager replicaset-cert-manager-cainjector-9747d56 Polaris 24m 1 1 7 cert-manager replicaset-cert-manager-webhook-67584ff488 Polaris 23m 1 1 7 cert-manager replicaset-cert-manager-webhook-849c7b574f Polaris 22m 1 1 7 default replicaset-nginx-6d4cf56db6 Polaris 23m 1 9 7 default replicaset-nginx-db749865c Polaris 22m 1 9 7 external-secrets replicaset-external-secrets-56fbfc9687 Polaris 25m 1 8 8 external-secrets replicaset-external-secrets-658cc9b744 Polaris 22m 1 8 8 external-secrets replicaset-external-secrets-69444c8577 Polaris 23m 1 8 8 external-secrets replicaset-external-secrets-7cfc59f6d7 Polaris 24m 1 8 8 frontend replicaset-frontend-57b979f9bb Polaris 22m 1 9 7 frontend replicaset-frontend-66bc7f9b57 Polaris 24m 1 9 7 frontend replicaset-frontend-66d48f89df Polaris 24m 1 9 7 frontend replicaset-frontend-675b6f8bfb Polaris 24m 1 9 7 frontend replicaset-frontend-7cc57c4fb4 Polaris 23m 1 9 7 frontend replicaset-frontend-844fb64db4 Polaris 23m 1 9 7 frontend replicaset-frontend-dc89db794 Polaris 22m 1 9 7 frontend replicaset-frontend-f487b9f88 Polaris 24m 1 9 7 gatekeeper-system replicaset-gatekeeper-audit-54b5f86d57 Polaris 25m 0 1 16 gatekeeper-system replicaset-gatekeeper-controller-manager-5b96bd668 Polaris 23m 0 1 16 kube-system daemonset-aws-node Polaris 25m 4 11 10 kube-system daemonset-kube-proxy Polaris 24m 1 1 3 kube-system replicaset-aws-load-balancer-controller-85ff4bfbc7 Polaris 23m 0 2 15 kube-system replicaset-aws-load-balancer-controller-dd979d56b Polaris 23m 0 2 15 kube-system replicaset-coredns-59847d77c8 Polaris 23m 0 3 14 kube-system replicaset-coredns-86f7d88d77 Polaris 24m 0 3 14 starboard-operator replicaset-starboard-operator-7fff5747c4 Polaris 20m 0 5 12 tigera-operator replicaset-tigera-operator-657cc89589 Polaris 23m 1 10 6
kube-benchのスキャン結果を確認する。
$ kubectl get ciskubebenchreports -o wide NAME SCANNER AGE FAIL WARN INFO PASS ip-10-1-108-42.ap-northeast-1.compute.internal kube-bench 28m 0 38 0 14 ip-10-1-71-185.ap-northeast-1.compute.internal kube-bench 28m 0 38 0 14
kube-hunterは未対応。
$ kubectl get kubehunterreports -o wide No resources found