Aye
Aye is an open source tool for scanning images on Kubernetes cluster. It uses Anchore CLI behind the scenes to get information about all images that are currently on the cluster. It also provides Prometheus metrics for each image, so teams are aware of different levels of vulnerabilities found inside them.
Installation
Official docker image: docker pull joyodev/aye
Configuring Aye
There are seven environment variables that can be configured.
export ANCHORE_CLI_URL=http://myanchore.server.com:8228/v1
export ANCHORE_CLI_USER=admin
export ANCHORE_CLI_PASS=foobar
Anchore URL defaults to http://localhost:8228/v1/
if you do not specify it. User and password have to be exported/set explicitly.
Besides these three, you can also set values for application port, logging level, service delay in milliseconds and detailed metrics.
export SERVER_PORT=8080
export LOGGING_LEVEL_ROOT=INFO
export SERVICE_DELAY_IN_MILLISECONDS=300000
export ENABLE_DETAILED_METRICS=true
Enabling detailed metrics will result in Aye exposing all vulnerabilities in the image in a form ofPackage: package_name URL: vulnerability_url
to Prometheus. For SERVICE_DELAY_IN_MILLISECONDS
default value is 5 minutes (300 000 milliseconds) - time between loops.
How Aye works
In each iteration of the loop Aye gets all unique images that are present on the cluster (goes over all containers inside all pods) and sends them to the Anchore Engine. It checks status and evaluation status for every image and exposes certain metrics the Prometheus.
If scanning fails for some reason, Aye will wait for 15 minutes before trying to send that image to Anchore again.
Metrics of images that are no longer present are deleted automatically by Aye. This is done by comparing the list of images from the current loop iteration to the previous one.
Examples
Number of vulnerabilities for each severity found in the image (aye_image_severity_vulnerabilities
):
Detailed vulnerabilities metric for image (aye_image_vulnerability_details
):
- List of all metrics
aye_added_images_total
(total number of total images added by Aye)aye_failed_images_total
(total number of images that didn't pass analysis)aye_failed_analysis_total
(total number of unsuccessful analysis)aye_image_severity_vulnerabilities
(number of vulnerabilities for each severity in the image)aye_image_vulnerability_details
(details for all vulnerabilities in the image) - optional, enabled by settingENABLE_DETAILED_METRICS
totrue
.
Prometheus metrics are exposed at /actuator/prometheus
.
Contact
Please email us via JoyoDev