12. Trivy 镜像扫描
注意: 本题大家按照考试时提供的trivy的官网示例去做要比我下面更新的这些方法好使,我考试时按照我下面写的这些方法是没有输出结果的。后面我在考试中自己看官网示例做出来了。
问题:
[candidate@cli] $kubectl configuse-context KSSCE0401
:::info
您可以使用浏览器打开一个额外的标签页来访问 Trivy 的文档。
:::
Task
用 Trivy 开源容器扫描器检测 namespace kamino 中 Pod 使用的具有严重漏洞的镜像。
找具有 High 或 Critical 严重性漏洞的镜像,并删除使用这些镜像的 Pod。
Trivy 仅预装在 cluster的master 节点上;它在原本的系统或工作节点上不可用。您必须连接到 cluster的 master 节点才能使用 Trivy.
正确答案:
注意:这个题非常耗费时间,考试时关注一下剩余时间。如果时间剩余不多,可以放到最后做这道题。
**12 月 12 号改变 **
备注:可能出现 5 个 pod,有 3 个要删除,kubectl delete pods pod 名字 --force
–grace-period=0
#第⼀次扫描,后⾯是镜像的名字,上⾯的镜像逐个扫描
candidate@hk8s-master01:~$ trivy image -s “HIGH,CRITICAL” alpine:3.14
#之后扫描可以添加 --skip-db-update不更新trivy数据库节省时间
#国内⽹络原因更新慢,考试时更新快。
#扫描输出内容很多, 加上 grep Total 过滤下, 只看结果就⾏。
ssh master01
root@hk8s-master01:~# kubectl get pods -n kamino
NAME READY STATUS RESTARTS AGE
alpine 0/1 CrashLoopBackOff 243 (5m11s ago) 411d
nginx 1/1 Running 5 (7d6h ago) 411d
node 0/1 Error 0 411d
## 注意:一定要看这里有几个pod副本数
root@hk8s-master01:~# kubectl get pods -n kamino -o yaml | grep image
## 或者用这条命令:kubectl describe pod -n kamino |grep -iE '^Name:|Image:'
- image: alpine:3.14
imagePullPolicy: IfNotPresent
image: docker.io/library/alpine:3.14
imageID: docker.io/library/alpine@sha256:560e7a4fa5c891d1830f5591c80b8e472fa6cd386b7254cdf65ccc3249292a34
- image: nginx
imagePullPolicy: Always
image: docker.io/library/nginx:latest
imageID: docker.io/library/nginx@sha256:6db391d1c0cfb30588ba0bf72ea999404f2764febf0f1f196acd5867ac7efa7e
- image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imagePullPolicy: IfNotPresent
image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imageID: registry.cn-beijing.aliyuncs.com/dotbalo/node@sha256:0a02d75339eaca89fcca3a8f39b69afba2cff13964c6d3a6a470e508ab4b43e4
root@
**3 检查镜像是否有高危和严重的漏洞 **
因为这个漏洞扫描要连国外的一个网站,因为网络的问题,所以有时候扫描的时候会失败,模拟环境里可以多尝试几次,或者晚上网络好的时候再试试。
但是考试的时候,不会出现这个情况的。因为考试的服务器本身也在国外。
trivy image -s HIGH,CRITICAL nginx:1.19# HIGH,CRITICAL,这里的 nginx:1.19 换成你上一步查出来的镜像名字
或者也可以使用这条命令查询 trivy image nginx:1.19 | grep -iE 'High|Critical
**注意:如果一个pod中有两个镜像,或者一个容器有两个pod副本,比如:**tri222 和 tri333 的 2 个 pod 里各有 2 个 image,都需要扫描。 本次联系只有一个镜像
trivy image -s HIGH,CRITICAL amazonlinux:1
trivy image -s HIGH,CRITICAL amazonlinux:2
trivy image -s HIGH,CRITICAL nginx:1.19
trivy image -s HIGH,CRITICAL vicuu/nginx:host
还有一个简单的方法,写一个 for 循环。考试时,可以开着这个终端跑,然后自己再打开一个终端,继续做后面的题。
for i in {amazonlinux:1,amazonlinux:2,nginx:1.19,vicuu/nginx:host}; do trivy image -s “HIGH,CRITICAL” $i >> 10.txt;done
或者
for i in kubectl describe po -n kamino |grep Image:|awk '{print $2}'
;do trivy image -s HIGH,CRITICAl $i >> 10-2.txt ;done
**4 删除有问题的 pod
(注意!注意,如果考试时,删除特别卡,可以加–force 参数强制删除。) **
kubectl -n kamino delete pod XXXX
**5 退出 master01,退回到 candidate@node01 **
exit
请注意,考试时有 5 个 pod,每个 pod 里有多个 image 镜像,都需要扫描。扫描出有漏洞的镜像,则删除有这个镜像的 pod。
root@hk8s-master01:/home/candidate/KSSH00301# kubectl get pods -n kamino -oyaml | grep image
- image: alpine:3.14
imagePullPolicy: IfNotPresent
image: docker.io/library/alpine:3.14
imageID: docker.io/library/alpine@sha256:560e7a4fa5c891d1830f5591c80b8e472fa6cd386b7254cdf65ccc3249292a34
- image: nginx
imagePullPolicy: Always
image: docker.io/library/nginx:latest
imageID: docker.io/library/nginx@sha256:0463a96ac74b84a8a1b27f3d1f4ae5d1a70ea823219394e131f5bf3536674419
- image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imagePullPolicy: IfNotPresent
image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imageID: registry.cn-beijing.aliyuncs.com/dotbalo/node@sha256:0a02d75339eaca89fcca3a8f39b69afba2cff13964c6d3a6a470e508ab4b43e4
root@hk8s-master01:/home/candidate/KSSC00301# trivy image alpine:3.14 | grep -EI "High|Critical"
2024-04-23T10:39:01.234+0800 INFO Need to update DB
2024-04-23T10:39:01.234+0800 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-04-23T10:39:01.234+0800 INFO Downloading DB...
152.75 KiB / 45.31 MiB [>_________________________________] 0.33% 5.38 KiB
root@hk8s-master01:~# vim 12.sh
#!/bin/bash
# image={"alpine:3.1" "nginx:latest" "node:v3.18.1"}
for image in "alpine:3.1" "nginx:latest" "node:v3.18.1"
do
trivy image $image > ~/12.txt
done
root@hk8s-master01:/home/candidate/KSSH00301# kubectl get pods -n kamino -o yaml | grep -i image
- image: alpine:3.14
imagePullPolicy: IfNotPresent
image: docker.io/library/alpine:3.14
imageID: docker.io/library/alpine@sha256:560e7a4fa5c891d1830f5591c80b8e472fa6cd386b7254cdf65ccc3249292a34
- image: nginx
imagePullPolicy: Always
image: docker.io/library/nginx:latest
imageID: docker.io/library/nginx@sha256:32e76d4f34f80e479964a0fbd4c5b4f6967b5322c8d004e9cf0cb81c93510766
- image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imagePullPolicy: IfNotPresent
image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imageID: registry.cn-beijing.aliyuncs.com/dotbalo/node@sha256:0a02d75339eaca89fcca3a8f39b69afba2cff13964c6d3a6a470e508ab4b43e4
root@hk8s-master01:~# vim 12.sh
root@hk8s-master01:~# chmod +x 12.sh
root@hk8s-master01:~# ./12.sh
kubectl get pods --namespace kamino --output=custom-columns="NAME:.metadata.name,IMAGE:.spec.containers[*].image"
root@hk8s-master01:~# vim 12.sh
#!/bin/bash
for i in "alpine:3.14" "nginx:latest" "node:v3.18.1"
do
trivy image $i > ~/12.txt
done
root@hk8s-master01:~# chmod +x 12.sh
root@hk8s-master01:~# ./12.sh
root@hk8s-master01:/home/candidate/KSSH00301# kubectl get pods -n kamino -o yaml | grep -i image
- image: alpine:3.14
imagePullPolicy: IfNotPresent
image: docker.io/library/alpine:3.14
imageID: docker.io/library/alpine@sha256:560e7a4fa5c891d1830f5591c80b8e472fa6cd386b7254cdf65ccc3249292a34
- image: nginx
imagePullPolicy: Always
image: docker.io/library/nginx:latest
imageID: docker.io/library/nginx@sha256:32e76d4f34f80e479964a0fbd4c5b4f6967b5322c8d004e9cf0cb81c93510766
- image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imagePullPolicy: IfNotPresent
image: registry.cn-beijing.aliyuncs.com/dotbalo/node:v3.18.1
imageID: registry.cn-beijing.aliyuncs.com/dotbalo/node@sha256:0a02d75339eaca89fcca3a8f39b69afba2cff13964c6d3a6a470e508ab4b43e4
root@hk8s-master01:~# vim 12.sh
root@hk8s-master01:~# chmod +x 12.sh
root@hk8s-master01:~# ./12.sh