-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[KF 1.0 Compliance] Vulnerability Scanning #3857
Comments
@jbottum Do you have any ideas about this? |
kubeflow/kubeflow#3907 is tracking how we publish a list of vulnerabilities in our images. A related issue is minimizing vulnerabilities e.g. by using distroless images. Note the use of distroless images is recommended not a requirement. kubeflow/kubeflow#4590 is a related issue about promoting the use of distroless in Kubeflow to minimize vulnerabilities. To satisfy the vulnerability scanning requirement I think you just need to turn on vulnerability scanning in whatever GCR registry you are hosting your images in. You might want to repurpose this issue or file a new one for reducing vulnerabilities if relevant. |
@jlewi As reported in the kubeflow/kubeflow#3907, if we enable gcr vulnerability scanning, they are not visible for external viewers. |
Thanks for the relevant link to reducing vulnerability. I'll create a separate issue about it. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
/lifecycle frozen |
An example of fixing some vulnerability issues: #4531 some related readings:
My take aways:
going forward, we should:
|
AIs:
|
Requests to reduce vulnerabilities come more often than before, so I'm taking some time to continue this. |
Formalize a vulnerability management processI think the process should come with two parts:
I'll focus on 2. in this issue. |
Research of tools suitable for this need:
Using them combined seem to meet our basic needs. |
There seems to be similar open source tools like https://github.com/arminc/clair-scanner, but it requires running your own vulnerability server. It's more convenient to use GCP container analysis service directly. |
A bit more research lead me to https://github.com/aquasecurity/trivy. It seems the leading open source option.
|
For reference, vulnerability vector description: |
An experimental feature of trivy is to use user defined open agent policy as checker for the vulnerabilities.
So it can reduce the amount of vulnerabilities we need to check based on our specific environment requirements. References: |
EDIT: what's described below doesn't work well, because the result of Open Policy Agent is in fact a generic tool: inputs: "JSON" and "Policy" So we could just use it with gcr vulnerability scanning to get the best of both flexibility using a GCP managed service. == or alternatively we can just write a script to check the vulnerability JSON as our own policy. |
Analysis of OptionsTrivy
Kritis
Other options look obviously worse than the two, so I'm leaving them out. To note that, OPA looks like it has some learning curve because there's a new language to learn, so I'd prefer we stay away from it initially. Therefore, if not using OPA, Trivy's major advantage does not apply to us. I think we can start with Kritis, if it proves to work as it is, we can delay further customization when we really need to. |
I'm interested in this issue. speaking of trivy, it supports filtering vulnerabilities by a number of options besides OPA:
the lack of activity of Kritis might be a problem, but willing to give it a try since I haven't use it before. |
@shawnzhu You are right. I didn't make it clear that my major preference for kritis is -- it uses GCP container scanning as data source (in fact, it directly reads GCP container scanning results, so you cannot use it outside GCP) |
Some notes after experimenting with Kritis:
|
I built a KFP pipeline that runs Kritis: #5066. P1 The next steps would be maintaining a long running KFP test cluster and run that pipeline as one of the post submit tests. |
@Bobgy I think this is a better link: https://github.com/quay/clair. Clair is what Amazon ECR uses: https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html. |
Security WG created a vulnerability scan for all Kubeflow images, including pipelines. This issue is not needed anymore. /close |
@rimolive: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Part of #2884
@jlewi Do you know how other images share vulnerability issues?
I did a quick investigation, gcr.io provides vulnerability scanning, but the result is not visible to external visitors even if the image is public.
We can export the generated yaml report with commands like
Documented in https://cloud.google.com/container-registry/docs/get-image-vulnerabilities
Do you think that's good enough?
The text was updated successfully, but these errors were encountered: