Quay / Clair with OPA in Kubernetes

80 views
Skip to first unread message

Aaron Tracy

unread,
Jul 29, 2020, 5:57:29 PM7/29/20
to quay-sig
Hey There, I've been trying to figure out if I can integrate the security scanning that happens with Quay into an OPA policy to disallow vulnerable images to run inside my kubernetes environment. Is this functionality that currently exists?

Thanks for your help!

-AT

Walid A. Shaari

unread,
Jul 29, 2020, 10:44:47 PM7/29/20
to Aaron Tracy, quay-sig
I did not try it yet, however, In theory should be doable, if there is a workflow that could add a label to the image to indicate its vulnerability status and and admission control to check for that label

--
You received this message because you are subscribed to the Google Groups "quay-sig" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quay-sig+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quay-sig/d8e3ec81-9bc2-47f5-8b08-ff58fd31e7b4n%40googlegroups.com.

Alec Merdler

unread,
Jul 29, 2020, 11:14:08 PM7/29/20
to quay-sig
Hi! Thanks for your interest in Quay and it's security scanner service, Clair.

I'm not entirely familiar with OPA, but from your description, something similar was demo'd during the last (virtual) Red Hat Summit [1]. As far as expansion of the integration between Quay (the source of container images/artifacts) and Kubernetes (the runtime platform), our team has extensive plans there, including increasing the capabilities of the Container Security Operator [2]. I think our team would be really interested in knowing your specific use-cases and how you consume Clair vulnerability data today. 

[1] https://www.redhat.com/en/summit (apologies for no direct link + login requirement)

Daniel Messer

unread,
Jul 30, 2020, 8:11:25 AM7/30/20
to trac...@apps.disney.com, quay-sig, Alec Merdler
Question for you Aaron,

this topic comes up from time to time. One interesting aspect is what could be done to override a policy that initially prohibited release/deployment of a vulnerable image on to the cluster. E.g. a deployment gets updated with a new image to fix some known vulnerability in the base image. That however in turn caused a regression that led the service to malfunction or even enter an outage. Trying to go back to the older image would be stopped by something like OPA checking the vulnerability policy. What would you be expecting to be able to do to remedy this?

To view this discussion on the web visit https://groups.google.com/d/msgid/quay-sig/ebdf6c96-c553-4659-a62a-20691601677an%40googlegroups.com.


--
Daniel Messer

Product Manager Operator Framework & Quay

Red Hat OpenShift

Ahmed Bessifi

unread,
Dec 8, 2020, 7:49:01 AM12/8/20
to quay-sig
Hi all,

>if there is a workflow that could add a label to the image to indicate its vulnerability status

It would be better if clair has a capacility to add a label to the image after being scaned.

>and admission control to check for that label  

Based on that label, OPA (the admission controller) decide to wheither deny to pod scheduling or not.  

Do the Container Security Operator support this feature (allow/deny pod scheduling based on their image vulneraability level) and/or can be integrated un such workflow ?

Cheers,
Ahmed
Reply all
Reply to author
Forward
0 new messages