Automate Kubernetes Image Vulnerability Scanning

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

Container image vulnerabilities can be a major attack vector for your Kubernetes infrastructure. In this lab, you will implement automated image scanning to ensure that severely vulnerable images do not run in your cluster.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Configure the Admission Controller

You will find a skeleton admission control configuration at /etc/kubernetes/admission-control/admission-control.conf. Configure the admission controller by adding the necessary configuration to this file.

When configuring the admission controller:

  • The kubeconfig is located at /etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig.
  • Configure the admission controller to deny workload creation by default, even if the backend webhook cannot be reached.
Edit the Admission Controller’s kubeconfig to Point to the Backend Webhook

Modify the admission controller’s kubeconfig to point to the backend service.

The kubeconfig is located at /etc/kubernetes/admission-control/imagepolicy_backend.kubeconfig.

The backend service can be reached at acg.trivy.k8s.webhook:8090/scan.

Certificates are already set up in the kubeconfig, and the API server is already set up to be able to locate these certificate files.

Enable Any Necessary Admission Control Plugins

Configure the API server to enable any necessary admission control plugins.

Once this is done, the API server should be using the backend webhook to scan images and deny workloads that have major vulnerabilities.

You can find Pod manifest files in /home/cloud_user you can use to test your setup. The Pod defined in good-pod.yml should succeed, while the Pod in bad-pod.yml should fail to be created due to image vulnerabilities.

Additional Resources

Your company, SecuriCorp, is using Kubernetes to run some applications, but lately there have been some security concerns. A recent security audit revealed that container images are being deployed to the cluster containing old software versions with many vulnerabilities.

Your team has agreed that a good solution would be to use an admission controller to automatically scan images and deny the creation of workloads with vulnerable images. A webhook backend image scanner has already been installed on the control plane node. Configure the admission controller to use it.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?