Day 28 - Secure Your Kubernetes Deployments: A Beginner's Guide to Anchore

Hey there, container security is super important, especially when you're deploying your apps in Kubernetes. Anchore is a cool tool that helps you scan your container images before you launch them, making sure they're safe and sound.

But here's the deal: The official Anchore Helm chart is a bit outdated. So, we'll walk through setting up Anchore for image scanning, but we'll also talk about some awesome alternatives like Anchore Enterprise and Aqua Security.

What You Need:

• Kubernetes Cluster: You'll need a Kubernetes cluster running (Minikube, Docker Desktop, or a cloud cluster like GKE or EKS).

• Helm: Get Helm installed on your computer.

• kubectl: Make sure you can connect to your cluster with kubectl.

Step 1: Let's Install Anchore in Kubernetes

1. Update your Helm repos:

   helm repo add anchore https://charts.anchore.io
   helm repo update

1. Install Anchore (even though the chart is outdated):

   helm install my-anchore anchore/anchore-engine --namespace security-tools --create-namespace

You might see a warning about the chart being deprecated. It's okay for now!

Step 2: CI/CD Integration with Anchore

Now, let's automate image scanning in your CI/CD pipeline. Here's a simple example you can use with Jenkins or GitLab CI:

stages:
  - build
  - scan
  - deploy

image: docker:latest

build:
  stage: build
  script:
    - docker build -t my-app:latest .
    - docker push my-app:latest

scan:
  stage: scan
  script:
    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/engine-cli:latest anchore-cli image add my-app:latest
    - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/engine-cli:latest anchore-cli image scan my-app:latest

deploy:
  stage: deploy
  script:
    - kubectl apply -f deployment.yaml

Step 3: Setting Up Admission Controllers in Kubernetes

Admission controllers are like bouncers for your Kubernetes cluster. They make sure only safe images get in! Here's how to set up a basic admission controller to block images that don't pass Anchore's security checks:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: anchore-validating-webhook
webhooks:
  - name: validate.anchore.io
    clientConfig:
      service:
        name: anchore-engine
        namespace: security-tools
      caBundle: <YOUR_CA_BUNDLE>
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Fail
    admissionReviewVersions: ["v1"]

Step 4: Time to Talk About Alternatives

Since the Anchore Helm chart is outdated, you might want to look at some other options:

• Anchore Enterprise: This is like the supercharged version of Anchore, built for big companies. It has tons of features like fancy policies, detailed reports, and integrations with more CI/CD tools.

• Aqua Security: Aqua Security is a whole cloud-native security platform. It does image scanning, runtime protection, and even network security.

Step 5: Troubleshooting

• Image Scan Fails: If your image fails a scan, check the Anchore policy results. It might be outdated packages or vulnerabilities.

• Admission Controller Blocks: If the admission controller is blocking deployments, look at the webhook logs to see if it's connecting to Anchore correctly.

Wrapping Up

Container security is super important, and Anchore can help you automate it. Even though the open-source Helm chart is a bit old, you can still use it for now. But for bigger projects, think about Anchore Enterprise or Aqua Security. And remember, admission controllers in Kubernetes add an extra layer of protection, making sure only safe images run in your cluster.