**Cloud Native Security Inspector** consists of the following 3 components:
-1. Controller Manager
-2. Inspector
-3. Portal
+1. The Controller Manager
+2. The Portal
+3. Scanners
+
+In regard to scanners, currently we support 3 different kinds of scanners:
+### [Image vulnerability scanner](https://goharbor.io/docs/main/administration/vulnerability-scanning/)
+Harbor provides static analysis of vulnerabilities in images through the open source projects [Trivy](https://github.com/aquasecurity/trivy).
+In CNSI, this capability is used to perform [dynamic security application testing](https://www.gartner.com/en/information-technology/glossary/dynamic-application-security-testing-dast) (DAST).
+
+### [Kubebench scanner](https://github.com/aquasecurity/kube-bench)
+Kubebench scanner mainly cares about the underlying Kubernetes cluster.
+It checks whether Kubernetes is deployed securely by running the checks documented in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/).
-In regard to inspector, currently we support 3 different kinds of inspectors:
-1. [Harbor vulnerability scanner](https://goharbor.io/docs/main/administration/vulnerability-scanning/).
-2. An inspector based on [Kube-bench](https://github.com/aquasecurity/kube-bench).
-3. Risk inspector contributed by [Arksec](https://arksec.cn/).
+### [Risk Scanner (contributed by Arksec Beijing Ltd)](https://arksec.cn/)
+The Risk scanner fetches the [CVSS vectors](https://qualysguard.qg2.apps.qualys.com/qwebhelp/fo_portal/setup/cvss_vector_strings.htm)
+from the image vulnerability report, then reports scored-risks it observed in the vector.
## Demo
[Video Demo](https://youtu.be/IMxU0UWo-DU) - Demo for Cloud Native Security Inspector features
@@ -69,7 +77,6 @@ $ cd cloud-native-security-inspector
$ ./deploy.sh install --build-source
```
-
### Verifying the deployment
After the installation is completed either via Option 1 or Option 2, use the following command to see if all the components have been started successfully in Kubernetes.
@@ -98,9 +105,6 @@ NAME TYPE CLUSTER-IP EXTER
cloud-native-security-inspector-portal-service NodePort 10.98.232.35 
@@ -272,6 +272,10 @@ Click a certain report under the "Name" column to check the details of a certain
+The report is categorized into several different kinds, you can click one of them to check the further details:
+
+
+
#### Risk scanning reports
We can check the Risk reports:
@@ -286,7 +290,7 @@ For the detailed explanation of the reports, please check [User Guide](USER-GUID
### Check the insights
-We support inspecting the insights from 3 different perspectives.
+We support inspecting the insights from 3 different perspectives, in release 0.2 the insight functionality only covers the image scanner.
#### cluster perspective
@@ -302,6 +306,6 @@ We support inspecting the insights from 3 different perspectives.
#### workload perspective
-
+
For the detailed explanation of the insights, please check [User Guide](USER-GUIDE.md).
diff --git a/docs/USER-GUIDE.md b/docs/USER-GUIDE.md
index be16b655..131764c6 100644
--- a/docs/USER-GUIDE.md
+++ b/docs/USER-GUIDE.md
@@ -35,10 +35,14 @@
### 1.1 With portal (recommended)
#### 1.1.1 Configurations
-Currently, we need one Secret, one setting and one Policy to be configured. Then CNSI can work properly.
+Currently, we need one Secret, one setting and one Policy to be configured, then CNSI can work properly.
###### Secret
Create a secret for Harbor so that Cloud-Native-Security-Inspector can talk to Harbor with the credentials.
+
+For release 0.2.0, Harbor is mandatory for the image scanner and risk scanner, CNSI depends on the vulnerability report
+of the images.
+
The secret you created will be referred by the setting. If you have already had the K8s secret, you can skip creating one and move forward to next step.
@@ -51,7 +55,7 @@ The secret you created will be referred by the setting. If you have already had
##### Setting
Click on "Credential Name" and choose the secret you've created in the previous step.
-You also need to specify the endpoint of Harbor and the scan interval.
+You also need to specify the endpoint of Harbor and schedule for Harbor for updating the CVE reports.
@@ -68,151 +72,208 @@ You also need to specify the endpoint of Harbor and the scan interval.
| Schedule | string | The cron expression to be configured in Harbor to specify the CVE update interval |
| skipTLSVerify | boolean | Whether need to skip the TLS verify |
-
-###### KnownRegistry
+###### Known Registry
This field is optional. If it is configured, replicate rules are set up in Harbor and images from
the known registries can be automatically replicated to Harbor.
-Currently, Harbor support 11 different image registries across the globe.
+Currently, Harbor support 11 different image registries.
Navigate to this [page](https://goharbor.io/docs/2.5.0/administration/configuring-replication/create-replication-endpoints/) to check the details.
-| Field Name | Field Type | Description |
-|----------------------|-------------|------------------------------------------------------------------------------|
-| provider | string | The provider of the registry, currently supports the adapter lists in Harbor |
-| name | string | The name of the registry |
-| endpoint | URL(string) | The endpoint of the registry |
-| Credential Name | string | The name of the credential of KnownRegistry |
-| Credential Namespace | string | The namespace of the credential of KnownRegistry |
-| skipTLSVerify | boolean | Whether need to skip the TLS verify |
+
-
+| Field Name | Field Type | Description |
+|----------------------|-------------|--------------------------------------------------|
+| provider | string | The provider of the registry |
+| name | string | The name of the registry |
+| endpoint | URL(string) | The endpoint of the registry |
+| Credential Name | string | The name of the credential of KnownRegistry |
+| Credential Namespace | string | The namespace of the credential of KnownRegistry |
+| skipTLSVerify | boolean | Whether need to skip the TLS verify |
###### Cache
This filed is optional. If it is configured. Cloud-Native-Security-Inspector can use the external Redis you specified here to cache the security data from Harbor.
+
+
| Field Name | Field Type | Description |
|---------------|-------------|----------------------------------------------------------------------------------------------------------|
| address | URL(string) | The URL of the redis address |
| livingTime | int64 | LivingTime (seconds) specifies the living time of the cache data |
| skipTLSVerify | boolean | SkipTLSVerify indicates whether skip the TLS verification. Only active when 'redis' scheme is configured |
-
+#### Policy
Once the Setting is done, you can create an inspection policy according to your security requirements.
-By defining the inspection policy, users can specify their security expectations including scan interval, security baseline,
-and the workloads or namespaces that should be scanned.
+
+By defining the inspection policy, users can:
+1. Define the schedule for scanning.
+2. Choose which scanners are included.
+3. Define the baseline of the image scanner, which means that CVE above which baseline should be reported in image scanning reports.
+4. Choose the namespace or the workloads to be scanned by the label selector.
+5. Define where to export the reports, currently support OpenSearch and ElasticSearch.
+
+In Release 0.2 the obsolete data in OpenSearch or ElasticSearch need to be purged manually,
+in the next release we will consider to add a way to purge the data automatically.
-#### Policy
-###### Inspection Settings
-| Field Name | Field Type | Description |
-|-----------------|-------------------|--------------------------------------------------------------------------------------|
-| Policy Name | string | Users can customize the name of this policy |
-| Worknamespace | *string | WorkNamespace specify the namespace for creating the underlying inspection resources |
-| Schedule | string | Configure Inspection scan cycle |
-| HistoryLimit | *int32 | HistoryLimit limits the max number of the completed inspections |
-| Suspend | *bool | If true, suspend the subsequent inspections temporarily |
-| ConcurrencyRule | string | ConcurrencyRule indicates how to handle the overlapped inspector processes |
-| Scan Inspector | string | The inspector which will be used by this policy |
-| ImagePullPolicy | corev1.PullPolicy | Image pull policy. Choose from Always, IfNotPresent and Never |
-| Settings Name | string | Select the existing setting's name |
-| OpenSearch | multiple configs | Enable this to leverage OpenSearch to store the time-series assessment reports |
-| ElasticSearch | multiple configs | Enable this to leverage ElasticSearch to store the time-series assessment reports |
+###### Inspection Setting
+| Field Name | Field Type | Description |
+|-----------------|-------------------|-----------------------------------------------------------------------------------|
+| Policy Name | string | The name of this policy |
+| Work Namespace | string | The namespace for the scanners |
+| Schedule | string | Configure Inspection schedule |
+| Scanners | multiple configs | The scanners to be included in the policy |
+| ImagePullPolicy | corev1.PullPolicy | Image pull policy. Choose from Always, IfNotPresent and Never |
+| Settings Name | string | Select the existing setting's name |
+| OpenSearch | multiple configs | Enable this to leverage OpenSearch to store the time-series assessment reports |
+| ElasticSearch | multiple configs | Enable this to leverage ElasticSearch to store the time-series assessment reports |
-
-###### Baselines
-| Field Name | Field Type | Description |
-|------------|------------|------------------------------------------|
-| Baseline | string | Baseline for the compliance of this kind |
-###### Namespace Labels Selectors
-NamespaceSelector is to specify which namespaces should be scanned
+###### Inspection standard setting
+
+| Field Name | Field Type | Description |
+|-------------------|------------|--------------------------------------------------------------------------------------|
+| Baseline | string | The CVE issues above which baseline should be included in the image scanning reports |
+| NamespaceSelector | map | The label of the to-be-scanned namespaces |
+| NamespaceSelector | map | The label of the to-be-scanned workloads |
-###### Workload Labels Selectors
-NamespaceSelector is to specify which workloads should be scanned
+###### Inspection result setting
-###### Assessment Settings
-
-You can choose whether the assessment reports are generated in the K8s cluster as CRD after each scanning.
+You can choose whether the image scanner reports are generated in the K8s cluster as CRD after each scanning.
In additional to that, you can config the format and live time of the reports.
+These configs are for image scanning report only, and is for 0.2 release. In the next release this part of data
+will also be sent to opensearch or elasticsearch, just like what we have done for the Kube-bench scanning reports and
+the risk scanning reports.
+
| Field Name | Field Type | Description |
|-----------------|------------|-----------------------------------------------------------------------------------|
| Generate report | bool | Generate indicates whether generate the assessment report or not, default is true |
| LiveTime | int64 | Live time of the generated report, the unit is second |
+| Kind | string | Kind of action. Now the only choice is quarantine_vulnerable_workload |
+After the inspection policy created, scanners will start to work.
-###### Actions
-If violations are found by the scanning, you can choose if quarantine the workloads that have the vulnerabilities.
-
-| Field Name | Field Type | Description |
-|------------|------------|-----------------------------------------------------------------------|
-| Kind | string | Kind of action. Now the only choice is quarantine_vulnerable_workload |
+You can navigate to `Assessments` to check the security posture and risk trends of the cluster.
-
-After the inspection policy created, inspection scanning will be triggered according to your configuration. You can navigate to assessments menu to see the security posture and risk trends of the cluster.
#### 1.1.2 Assessments
-We can view the reports of the scanner we chose.
+We can view the reports of the scanners.
##### Image scanning reports
-A line chart will be generated based on the latest n assessment reports, such as:
+A time-series chart will be generated for the image scanning reports, such as:
-If there are vulnerabilities be found, the chart would be like:
-
-
-
-By clicking the button in action column of each report, you can view the details of the report.
+By clicking the name of each report, you can view the details of the report.
+If there is no CVE items whose severity is higher than the baseline you configured, then
+the report will show the number of vulnerable containers is zero. But you can still review
+all the CVE items equal or below the baseline in the `Details` section of the report.
+
##### Kubebench scanning reports
+Besides the image scanner scanning the image of the running workloads, the Kubebench scanner
+scans the configurations of the underlying K8s cluster.
+
+
+The checks lie in 5 different categories:
+1. Worknode security config
+2. Kubernetes policies
+3. Control plane security config
+4. Control plane config
+5. Etcd node config
+
+Each category also contains several sub-categories, example:
+Each sub-category contains the actual security check items:
+
+
+The checks are based on the [CIS Kubernetes Benchmark support](https://www.cisecurity.org/benchmark/kubernetes)
+
+The Kubebench scanner is based on this [opensource implementation](https://github.com/aquasecurity/kube-bench),
+we integrate this scanner into Cloud-Native-Security-Inspector. The config files are mounted from
+the host to the Kubebench scanner's cronjob pod, then those configuration files are analyzed.
+
+The Kubebench scanner can detect the K8s verison and choose the corresponding baseline file.
+Check all the supported baseline files [here](https://github.com/vmware-tanzu/cloud-native-security-inspector/tree/main/src/cmd/kubebench/cfg)
+
##### Risk scanning reports
This report lists all the pods along with pod name, namespace under which it is running,
-as well as the number of vulnerabilities contained.
+as well as the number of vulnerabilities contained in the pod.
-
+
-All the details will be displayed by clicking the ID, including basic pod infomration
-and the list of vulnerabilities ETC.
+In release 0.2 the risk scanner will report 3 kinds of risks:
+###### serious vulnerabilities
+The report includes the vulnerabilities at least with medium severity. Risk scanner will give
+a 3-scaled score for the risks. With Medium as 1, High as 2 and Critical as 3.
-
+The risk scanner will decode the CVE vector of each serious vulnerabilities and find below
+2 kinds of further risks.
+
+###### network exposure risks
+When the vulnerability's [CVSS v3.1 vector](https://www.first.org/cvss/specification-document) indicates that
+this vulnerability could bring more risks when the workload is exposed to the network,
+the risk scanner will add a new vulnerability item indicates that.
+Example:
+```
+resource Pod:mariadb-6df76645bf-hvdbj:kube-fate:bade5b13-1538-43e8-8649-7a27e385d74f is
+exposed to network while it has vulneratbility CVE-2016-20013(severity: 2) with network exposure
+```
+The score scale of this kind of risk is 5. With None as 0, Low as 2, Medium as 3, High as 4 and Critical as 5.
+
+The scale for this kind of issue is larger than the `serious vulnerabilities` because the risks become higher
+after network exposure.
+
+###### privilege risks
+When the vulnerability's CVSS v3.1 vector indicates that this vulnerability could bring more risks
+when the workload has a lower required privilege to be accessed. Then the risk scanner will add a
+new vulnerability item to report this potential risk.
+
+The score scale for this kind of risk is the same with the `network exposure risks`.
+
+
+We can also check the time-series trend of the vulnerabilities in the container.
#### 1.1.3 Insight
-In the insight menu, the security information is clustered by different perspectives to help the
-security auditor know the security posture clearly.
+In release 2.0, insight is all about the image scanning results, Kubebench scanning results and
+risk scanning results are not included in the Insight section.
+
+The security administrator can examine the CVE issues in 3 perspectives:
+
+* Cluster
+* Namespace
+* Workload
+
##### Cluster
-If you have configured a lot of workloads, the cluster insight could be like:
-
-
+You can check the total number of workloads that passed or violates the baseline within the cluster CNSI was installed.
+
+You can check the distribution of the vulnerable workloads across the namespaces within the cluster in this perspective.
+
##### Namespace
-If you have configured a lot of workloads, the namespace insight could be like:
-
-
+You can check the total number of workloads that passed or violates the baseline within a certain namespace.
+
+You can check the distribution of the vulnerable workloads across different types of workload within the namespace.
+
##### Workload
-If you have configured a lot of workloads, the workload insight could be like:
- Click the workload's name to view the details.
-
+You can also directly check all the workloads scanned by image scanner, and check their results:
+
### 1.2 With CLI
#### 1.2.1 Settings
Firstly you need to create the settings of Cloud Native Security Inspector.
-```shell
-$ cd src/config/samples
-$ vim goharbor_v1alpha1_setting.yaml
-```
+Create yaml files such as below examples.
```yaml
apiVersion: v1
data:
@@ -259,49 +320,12 @@ in the data source harbor, otherwise, you need to configure your private
registries here used for harbor replication. You can update the yaml file like below to
define a Harbor as the data source:
-
-
-
-
-Then apply this yaml file using kubectl.
-
-```shell
-$ kubectl apply -f goharbor_v1alpha1_setting.yaml
-```
+Then apply the yaml file using kubectl.
-Using this command to check the status of the setting, ensure the "STATUS" is "Healthy"
+Using below command to check the status of the setting, make sure the "STATUS" is "Healthy"
```shell
-$ kubectl get settings.goharbor.goharbor.io -A
+$ kubectl get settings -A
NAME ENDPOINT STATUS AGE
sample-setting https://10.78.177.224 Healthy 97s
@@ -309,7 +333,7 @@ sample-setting https://10.78.177.224 Healthy 97s
#### 1.2.2 Policy
-Then users need to create inspection policies to define their security requirements.
+Then users need to create inspection policies to define their security requirements, example yaml:
```yaml
apiVersion: goharbor.goharbor.io/v1alpha1
@@ -346,7 +370,7 @@ spec:
actions:
- kind: quarantine_vulnerable_workload
schedule: '*/3 * * * *'
- settingsName: demo-setting
+ settingsName: sample-setting
strategy:
concurrencyRule: Forbid
historyLimit: 5
@@ -354,21 +378,20 @@ spec:
workNamespace: cronjobs
```
-```shell
-$ kubectl create ns cronjobs
-$ kubectl label ns workload goharbor.io/watch="true"
-$ kubectl apply -f goharbor_v1alpha1_inspectionpolicy.yaml
-```
+After the policy is created, cronjobs will be created automatically to scan the workloads, based
+on the given label selector defined in the policy.
+
##### 1.2.2.1 Actions
-If the `actions` field is not specified, no action will be performed on violation workloads. The following actions are supported by policies.
+If the `actions` field is not specified, no action will be performed on violation workloads.
+The following actions are supported by policies.
###### quarantine_vulnerable_workload
-For now, Cloud-Native-Security-Inspector supports only `quarantine_vulnerable_workload` type action.
+For now, Cloud-Native-Security-Inspector only supports `quarantine_vulnerable_workload` type action.
When violation is detected on workloads, Cloud-Native-Security-Inspector will create a network
policy with "deny-all" rules for the namespace if not exist. The violation pods will be
-labeled `goharbor.io/controller: "TSI"` and `goharbor.io/inspection: "risk'` to match
+labeled `goharbor.io/controller: "CNSI"` and `goharbor.io/inspection: "risk'` to match
the pod selector on network policy and the pods will be quarantined.
When the violation pods turns good, the labels will be removed from the pods. And the
@@ -382,7 +405,7 @@ After the InspectionPolicy has been applied, you can find a cronjob will be gene
```
$ kubectl get cronjob -A
NAMESPACE NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
-cronjobs inspectionpolicy-samplekbnpq */1 * * * * False 0 36s 77s
+cronjobs inspectionpolicy-samplekbnpq */3 * * * * False 0 36s 77s
```
The value of "LAST SCHEDULE" represents if the job has been triggered.
diff --git a/docs/pictures/initial-ui.png b/docs/pictures/initial-ui.png
index 365e4dd5..2a19fdee 100644
Binary files a/docs/pictures/initial-ui.png and b/docs/pictures/initial-ui.png differ
diff --git a/docs/pictures/insight-cluster-summary-more.png b/docs/pictures/insight-cluster-summary-more.png
deleted file mode 100644
index 8c3c2431..00000000
Binary files a/docs/pictures/insight-cluster-summary-more.png and /dev/null differ
diff --git a/docs/pictures/insight-cluster-summary.png b/docs/pictures/insight-cluster-summary.png
index 94db1bb9..83db8185 100644
Binary files a/docs/pictures/insight-cluster-summary.png and b/docs/pictures/insight-cluster-summary.png differ
diff --git a/docs/pictures/insight-cluster-violations-more.png b/docs/pictures/insight-cluster-violations-more.png
deleted file mode 100644
index f4c82cd7..00000000
Binary files a/docs/pictures/insight-cluster-violations-more.png and /dev/null differ
diff --git a/docs/pictures/insight-cluster-violations.png b/docs/pictures/insight-cluster-violations.png
index 293c9346..56270f54 100644
Binary files a/docs/pictures/insight-cluster-violations.png and b/docs/pictures/insight-cluster-violations.png differ
diff --git a/docs/pictures/insight-namespace-summary.png b/docs/pictures/insight-namespace-summary.png
index f4e103b0..6d9d737f 100644
Binary files a/docs/pictures/insight-namespace-summary.png and b/docs/pictures/insight-namespace-summary.png differ
diff --git a/docs/pictures/insight-namespace-summry-more.png b/docs/pictures/insight-namespace-summry-more.png
deleted file mode 100644
index 2205b73d..00000000
Binary files a/docs/pictures/insight-namespace-summry-more.png and /dev/null differ
diff --git a/docs/pictures/insight-namespace-violations-more.png b/docs/pictures/insight-namespace-violations-more.png
deleted file mode 100644
index 4769fc76..00000000
Binary files a/docs/pictures/insight-namespace-violations-more.png and /dev/null differ
diff --git a/docs/pictures/insight-namespace-violations.png b/docs/pictures/insight-namespace-violations.png
index bffe0a53..8a4baa77 100644
Binary files a/docs/pictures/insight-namespace-violations.png and b/docs/pictures/insight-namespace-violations.png differ
diff --git a/docs/pictures/insight-workload-list-more.png b/docs/pictures/insight-workload-list-more.png
deleted file mode 100644
index 0d7f40b4..00000000
Binary files a/docs/pictures/insight-workload-list-more.png and /dev/null differ
diff --git a/docs/pictures/insight-workload-list.png b/docs/pictures/insight-workload-list.png
deleted file mode 100644
index eb576301..00000000
Binary files a/docs/pictures/insight-workload-list.png and /dev/null differ
diff --git a/docs/pictures/insight-workloads.png b/docs/pictures/insight-workloads.png
new file mode 100644
index 00000000..733912e6
Binary files /dev/null and b/docs/pictures/insight-workloads.png differ
diff --git a/docs/pictures/report-harbor-detail.png b/docs/pictures/report-harbor-detail.png
index c4bba0d9..c80a8994 100644
Binary files a/docs/pictures/report-harbor-detail.png and b/docs/pictures/report-harbor-detail.png differ
diff --git a/docs/pictures/report-harbor-scanner-more.png b/docs/pictures/report-harbor-scanner-more.png
deleted file mode 100644
index 0d14b206..00000000
Binary files a/docs/pictures/report-harbor-scanner-more.png and /dev/null differ
diff --git a/docs/pictures/report-harbor-scanner.png b/docs/pictures/report-harbor-scanner.png
index 20be27e1..f2ed09e0 100644
Binary files a/docs/pictures/report-harbor-scanner.png and b/docs/pictures/report-harbor-scanner.png differ
diff --git a/docs/pictures/report-kubebench-detail-more.png b/docs/pictures/report-kubebench-detail-more.png
new file mode 100644
index 00000000..3f1579f4
Binary files /dev/null and b/docs/pictures/report-kubebench-detail-more.png differ
diff --git a/docs/pictures/report-kubebench-detail.png b/docs/pictures/report-kubebench-detail.png
index a30a8d0f..39406b26 100644
Binary files a/docs/pictures/report-kubebench-detail.png and b/docs/pictures/report-kubebench-detail.png differ
diff --git a/docs/pictures/report-kubebench-scanner.png b/docs/pictures/report-kubebench-scanner.png
index d5dc9d84..c5628cdf 100644
Binary files a/docs/pictures/report-kubebench-scanner.png and b/docs/pictures/report-kubebench-scanner.png differ
diff --git a/docs/pictures/report-risk-detail.png b/docs/pictures/report-risk-detail.png
index 908d17f8..ee15c472 100644
Binary files a/docs/pictures/report-risk-detail.png and b/docs/pictures/report-risk-detail.png differ
diff --git a/docs/pictures/report-risk-scanner.png b/docs/pictures/report-risk-scanner.png
index 75b5ff3c..ca7c69ed 100644
Binary files a/docs/pictures/report-risk-scanner.png and b/docs/pictures/report-risk-scanner.png differ
diff --git a/src/controllers/setting_controller.go b/src/controllers/setting_controller.go
index a646b248..7ad17355 100644
--- a/src/controllers/setting_controller.go
+++ b/src/controllers/setting_controller.go
@@ -141,6 +141,10 @@ func (r *SettingReconciler) ensureKnownRegistries(ctx context.Context, p provide
defer set.Status.SetCondition(cond)
// register known registries, create or update
+ if set.Spec.KnownRegistries == nil || len(set.Spec.KnownRegistries) == 0 {
+ log.Info("there is no configuration about known registries in the setting")
+ return nil
+ }
err := p.RegisterKnownRegistries(ctx, set.Spec.KnownRegistries)
if err != nil {
if !cond.IsFalse() {