Scanning Pods with Anchore, Jenkins, Minikube, Windows
Shifting Security Left by scanning your container images
It’s been quite some time since I wrote a how-to article. A lot has changed since then with me personally but let’s get right into it.
Anchore Engine is an open-source tool that scans your container images to see if there are any open vulnerabilities.
For example, if your base image is
node:alpine how do you know if that image is safe to use? Anchore will scan your built image and let you know if there are vulnerabilities that you can leverage during the build process.
Here’s the breakdown of what we’ll be doing:
- Install Jenkins in our Minikube / Windows 10 setup.
- Install Anchore
- Configure Jenkins plugins
- Set up a freestyle pipeline job to build, push and scan a custom container image
- A working instance of Minikube
- Internet access
- Dockerhub account (optional)
Installing Jenkins on Minikube / Windows 10
Github Repo: https://github.com/airwavetechio/jenkins-demo
Minikube version: v1.15.1
OS: Windows 10 Pro
First off, you’ll want to clone the repo above. It’s a modified version of the Jenkins Helm chart, broken down to suit our demo needs.
We are going to be building Docker images inside of Jenkins so we’ll have to modify our Minikube node just a bit.
First, you’ll want to ssh into your Minikube instance.
Next, we are going to ensure our
docker user inside Minikube has the same group ID as the
jenkins user inside of the Jenkins container we will be deploying. I’ll explain more in a bit why we need to do this, but first, check to see if your
docker user’s group ID is
If not, run this command to fix it:
sudo groupmod -g 1000 docker
Now check the permission of
/var/run/docker.sock . We will need to use this for Jenkins so we can build Docker images.
ls -l /var/run/docker.sock
If the group is 999, change that to 1000.
sudo chown root:1000 /var/run/docker.sock
Finally, we are going to create a directory on the Minikube host to store our Jenkins configurations in case you need to restart things. We will be mounting this to the deployment.
sudo mkdir -p /data/jenkins-home
sudo chown docker:1000 -R /data
ls -l /data
Now navigate to the cloned repo and install some prerequisites like:
- a Jenkins namespace
- persistent volume
- Jenkins configmap
- Jenkins configuration as code
- Jenkins secret
git clone https://github.com/airwavetechio/jenkins-demo
kubectl apply -f prereqs
Now you want to install Jenkins itself.
kubectl apply -f deployment.yaml
Our installation comes prepackaged with the plugins you need to complete the demo. If you want to add our own plugins, look in the
./prereqs/jenkins-cm.yaml file and add your plugin within the
Jenkins should be up and running in a minute or two, but make sure you validate it.
Next, let’s install Anchore into your Minikube instance. Using Helm, install Anchore into the default namespace.
helm repo add anchore https://charts.anchore.io
helm install anchore-demo anchore/anchore-engine
Validate the installation
Configure Jenkins plugins
Since we pre-installed plugins along with the Jenkins deployment, we will need to configure them.
Let’s connect to your Jenkins instance
kubectl --namespace jenkins port-forward svc/jenkins 8080:8080
Now open your browser to http://localhost:8080/ . The authentication secrets are in
Click on Manage Jenkins > Configure System
This is where we will configure the plugins.
Scroll down to Anchore Container Image Scanner
- This is the name of the Anchore API service with the namespace.
- You can find this from the Anchore secret.
Configure the Docker Builder
Scroll down to Docker Builder and type in
The changes we made in the Minikube node allow us to connect to the socket. Our custom deployment of Jenkins mounts
/var/run from your Minikube node to
/var/run/docker within the Jenkins container. Also within the container, the
jenkins user’s group ID is 1000, matching the group ID we changed earlier. In other words, we matched the group ID of the
jenkins user in the container with the
docker user of the Minikube node.
Don’t forget to click Save at the bottom.
Set up a freestyle pipeline job to build a custom container image
In this phase, we are going to create a pipeline job to scan a Docker image following this flow.
Setting up the Freestyle Job
Click on Dashboard > Create a job
Create a job name with no spaces and click Freestyle project > OK
In this step, we will be cloning a pre-existing GitHub repository.
IF you have followed our guides before, then you might be familiar with this repo. If not, this is our example repo we use to test things, such as deployments. It’s a node app that serves a static page on port 5000.
You can use your own repo if you wish as long as there is a Dockerfile in the repo.
Scroll down to Source Code Management and add this Github URL
Changes the branch to
In this step, we will be building the Docker image from the Dockerfile located in the repo. If you don’t have Docker Hub (or any other registry) access available to you, you can skip the two Execute Docker command build steps (this one and the next one).
Scroll down to Build > Add build step > Execute Docker command
Build context folder
$WORKSPACE/<directory containting the Dockerfile>
Tag of the resulting docker image
In this step, we are going to push our built Docker image to the Docker Hub registry. Again, if you don’t have access, you can skip this step.
Add an additional build step by clicking Add build step > Execute Docker command
Name of the image to push (repository/image)
Docker registry URL
At this point, you will need to add your Docker Hub registry credentials.
Registry Credentials > Add > Jenkins and set up your username and password
Make sure you select the credentials after you create them.
In this step, we will be registering the newly built image with Anchore plugin by writing to a file.
Add build step > Execute shell
echo "<yourDockerHubrepo>/<imageName>:$BUILD_NUMBER $WORKSPACE/Dockerfile" > anchore_images
Finally, in our last step, we will be invoking Anchore to check our image for any security vulnerabilities.
Add build step > Anchore Container Image Scanner
Along with the default settings, you’ll want to check the box next to Anchore Engine force image analysis. This allows you to run the job more than once.
Click on Save.
Back to the Job page and click on Build now in the side nav.
When the job is done, you can check out the Latest Anchore Report
Check the Security page as well
There you have it. A quick tutorial on how to install Anchore and scan your images.
To uninstall everything we just did, just run these 3 commands
helm uninstall anchore-demo
kubectl delete -f deployment.yaml
kubectl delete -f prereqs
If you enjoy the no-nonsense, no backstory, straight to the point style of these tutorials, let me know by clapping. If it can be better, drop a comment. Thanks again for reading and hoped you learned something new today.