Port Authority is an API service that delivers component based vulnerability assessments for Docker images at time of build and in run-time environments. Port Authority also provides Developers additional customizable offerings to assist with the automated audit and governance of their containers.
The Port Authority API is capable of scanning public or private individual images as well as entire private Docker registries like Docker Hub, Google Container Registry or Artifactory. Port Authority integrates with Kubernetes to continuously discover running containers and inventory those deployed images for scanning.
In the backend Port Authority utilizes the open source static analysis tool Clair by CoreOS to scan images and identify vulnerabilities. For enforcement, Port Authority provides a webhook that when leveraged by a Kubernetes admission controller will allow or deny deployments based on customizable policies.
-
Install Minikube
-
Start Minikube:
minikube start
NOTE: Supported Kubernetes versions (1.6.x - 1.9.x). Supported Clair versions v2.x.x.
-
Use Minikube Docker:
eval $(minikube docker-env) -
Get all Glide dependancies:
make deps -
Build & deploy:
make deploy-minikube
Different configuration adjustments can be made to the Port Authority deployment here: minikube/portauthority/portauthority/config.yml
✅ Add Docker Credentials used by the K8s Crawler scan feature
### Environment variables defined below are mapped to credentials used by the Kubernetes Crawler API (/v1/crawler/k8s)
### A 'Scan: true' flag will invoke their usage
k8scrawlcredentials:
# Use "" for basic auth on registries that do not require a username and password
- url: "docker.io" #basic auth is empty UN and PW
username: "DOCKER_USER"
password: "DOCKER_PASS"
- url: "gcr.io" #basic auth is empty UN and PW
username: "GCR_USER"
password: "GCR_PASS"
✅ Enable the Kubernetes Admission Controller and change webhooks default behavior
# Setting imagewebhookdefaultblock to true will set the imagewebhooks endpoint default behavior to block any images with policy violations.
# If it is set to false a user can change enable the behavior by setting the portauthority-webhook deployment annotation to true
imagewebhookdefaultblock: false
Port Authority is an API service. See our complete API Documentation for further configuration, usage, Postman collections and more.
We always welcome new PRs! See Contributing for further instructions.
Found something that doesn't seem right or have a feature request? Please open a new issue.
©2018 Target Brands, Inc.