This repo aim to enrich the functionality of starboard.
Starboard integrates security tools into the Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way.
The starboard will watch a certain namespace for workload(basically the pod), if pod created or changed it will do scan(vulnerability scan by Trivy and config audit by Polaris) on it.
The problem is the scan report display, see the picture upper, two way to check the report;
- With CLI command
starboard get reportto generatehtmlfile. - Install software
LENSorOctantoutside the cluster then connect to the cluster to get a panoramic view of whole cluster
The former is not possible in a cluster which from cloud provider.
And the latter is not follow the insight of devsecops.
From the perspective of devsecops, we believe a application should be self-governing, means after update/installed(by gitops maybe), there should be a specific report for the application avaiabled for administrator, just for the application.
So, the repo will be part of application's artifact, act as a security/compliance reporter after every upgrade.
The quick start steps are being enhanced to more convenient.
-
Deploy the starbort report
kubectl create -f ./release.yamlAnd then check if it works:
# kubectl -n starboard-report-system get pod NAME READY STATUS RESTARTS AGE controller-manager-585bd5b76d-mpzzv 2/2 Running 0 13m starboard-operator-7f756cf4c5-nl8qp 1/1 Running 0 13m -
Expose the service
-
For OpenShift cluster, you can use
Routeto expose the service:kubectl apply -f config/route/route.yaml -
For Kubenertes cluster, you can forward the port to access the nginx(will craete
ingresslater)kubectl -n starboard-report-system port-forward service/report 8888:80 --address 0.0.0.0
-
Create a sample in the namespace:
starboard-report-systemkubectl create deployment nginx1 --image nginx:1.16 -n starboard-report-system -
Check the report with the above port:
For now, the application will watch resource in namespace: starboard-report-system, if you want to change it, please update the configuration in config.