Scanning Containers for Vulnerabilities on Kubernetes Clusters

On this project, we chose to work with Clair, the tool developed by CoreOS, which uses static analysis to find vulnerabilities in container images. To use Clair, we had to build a Python client, called ClairScanner, that communicates with the Clair v1 API. We also had to build a tool called KubeScanner, which runs on Kubernetes clusters and uses the ClairScanner in order to analyse containers that are running on Kubernetes pods. After receiving the results of the analysis from the ClairScanner, the KubeScanner then communicates with the Kubernetes API in order to report the results back to the cluster owner by labeling the pods that were analysed with the findings. After deploying this solution on the CERN cloud, this project also had the goal of pushing this to the OpenStack Magnum project upstream, which is the OpenStack component responsible for creating clusters for OpenStack clouds.