Vulnerability Scanning for Images and Running Containers on Red Hat OpenShift with Vulnerability Advisor

Co-author: Yuji Watanabe

Overview

IBM Cloud Pak for Multicloud Management enables multiple security services in your hybrid cloud environments. One of the most important services is Vulnerability Advisor (VA), which provides a container-based vulnerability scan and integrates with kinds of image registries to provide an image vulnerability scan.

IBM Cloud Pak for Multicloud Management Vulnerability Advisor Architecture

Diagram of the IBM Cloud Pak for Multicloud Management Vulnerability Advisor architecture.

The Vulnerability Advisor architecture is composed of the following components:

• Live-scan crawler: Perform vulnerability scans for each container in the cluster.
• Registry crawler : Perform vulnerability scans for images in private or external registries.
• Identity management: Provide identity services for the API access.
• Policy services: Provide a policy mechanism for vulnerability scanning.
• API and backend processing services: Provide API service, process and store the data that you get from the crawlers.

Container vulnerability scan on OpenShift

After you install the IBM Cloud Pak for Multicloud Management with VA on OpenShift, log in to your IBM Cloud Pak for Multicloud Management console. From the navigation menu, click Administer > Add-on Vulnerability advisor.

Screenshot to navigate to the VA in the IBM Cloud Pak for Multicloud Management console.

The VA user interface appears with the namespaces of the OpenShift cluster. Your VA user interface might resemble the following image:

Image of the VA user interface.

You can view the containers in a specific namespace. For example, when you select the default namespace the following container might appear:

Vulnerability scan details for the default namespace in the VA console.

To view details of the vulnerability scan, click the link of the container name. The following details might appear:

Details of a vulnerability scan.

Image registry integrity

Vulnerability Advisor supports scanning images for the following types of registries: IBM Cloud Private, Dockerhub, Artifactory, and OpenShift. As an administrative user on OpenShift 4.x, you can configure the VA to scan images in your OpenShift internal registry. Complete the following steps to configure VA:

• From the VA user interface page, click kube-system namespace > Registries tab. The Registries page appears.

Screenshot of the Registries page.

• Add the openshift registry by selecting the Add New Registry button.
• Configure your OpenShift registry by completing the following steps:

1. Input the image registry service address in the Registry field. For example, the registry used in this example is the following name: image-registry.openshift-image-registry.svc:5000
2. Select the drop-down menu for the Type field and select your registry type. For this example, select openshift
3. Input a Kubernetes secret in the kube-system namespace, which has the authority to pull images from the OpenShift registry.
4. Input the scan scope with regex format, for example, .* means scan all images in the registry.
5. Enable the scan for your registry by selecting True , and click Save.

Your Registry Configuration window might resemble the following image:

Image of the Registry Configuration window.

Then Vulnerability Advisor will start to scan images in the OpenShift registry.

• You can view the vulnerability scan result for each image by selecting the registry name from the Registries page. Then, click the link of image name, to view more details of the vulnerability scan report. Your report might resemble the following content:

Screenshot of the vulnerability scan report.

For more details, refer to IBM Cloud Pak for Multicloud Management Vulnerability Advisor.