Vulnerability Advisor

Use the advisor to get security status for container images in your IBM® Cloud Private private registry. The Vulnerability Advisor also runs security checks on running containers in your environment.

For more information about the Vulnerability Advisor, see the About Vulnerability Advisor section in the IBM Cloud Docs External link icon.

The Vulnerability Advisor feature is supported in the Cloud Native and Enterprise editions of IBM Cloud Private only.

To enable the Vulnerability Advisor, see Enabling the Vulnerability Advisor.

For a list of the Vulnerability Advisor components, see Components.

Configuring Vulnerability Advisor

Configuring the Vulnerability Advisor container crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "live-crawler-config".
  3. For the "live-crawler-config" ConfigMap, select Action > Edit. The "live-crawler-config" JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. (Optional) You can also configure the time interval for scanning containers on the host. To configure the time interval, modify the value of the crawl-interval parameter. The default value is 86400 (seconds per day). If you update this parameter, you must restart the crawler container. The container crawler is deployed as DaemonSets named either live-crawler-amd64 or live-crawler-ppc64le. You can restart the DaemonSet from the Workloads > DaemonSet page.
  6. Click Submit.

Configuring the Vulnerability Advisor image crawler

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "reg-crawler-config".
  3. For the "reg-crawler-config" ConfigMap, select Action > Edit. The "reg-crawler-config" JSON file displays.
  4. Modify the value of the enabled parameter.
    • To disable crawler, set the enabled parameter to false.
    • To enable crawler, set the enabled parameter to true.
  5. Click Submit.

Logs and report management

The Vulnerability Advisor components, Kafka log and Elasticsearch indices, consumes a lot of disk space on the VA nodes. By default Kafka retains 600 minutes (10 hours) of logs, and Elasticsearch retains 7 days of data. This data includes containers and image reports.

Configuring data curation interval of Elasticsearch cluster

  1. From the navigation menu, click Configuration > ConfigMaps.
  2. In the search box type "va-elasticsearch-curator-config".
  3. For the "va-elasticsearch-curator-config" ConfigMap, select Action > Edit. The "va-elasticsearch-curator-config" JSON file displays.
  4. Modify the value of the unit_count parameter. The unit is days. The default value is 7 days.
  5. Click Submit.

Configuring log clean-up interval of Kafka cluster

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Edit the Kafka StatefulSet object to re-configure Kafka.

    kubectl --namespace=kube-system edit Kafka StatefulSet object
    
  3. Modify the value of the KAFKA_LOG_RETENTION_MINUTES environment variable. The default value is 600 minutes (10 hours).

  4. Save the changes.

Viewing security reports

From the management console, you can view security reports for containers and images organized by namespace. These security reports are generated by using a default policy.

  1. From the navigation menu, click Platform > Vulnerability Advisor.
  2. Select the namespace that you want to view. The Vulnerability Advisor dashboard displays. From this dashboard, you can review the reports for containers and images in the selected namespace. The report details the following information on each container or image:
    • Name - name of the container or image
    • Owner - the namespace that the image or container belongs to.
    • Crawled Time - the timestamp when the image or container was scanned.
    • Type - specifies whether the object is a container or image
    • Organizational Policies - the security policy that is being used. This is set on the Managing Policies page.
    • Vulnerable Packages - current vulnerabilities that are identified for the container or image.
    • Container Settings - summary of potential security and compliance issues. Recommendations for security are also presented here.

Managing Policies

  1. From the navigation menu, click Platform > Vulnerability Advisor.
  2. Select the namespace that you want to view reports for. The Vulnerability Advisor dashboard displays.
  3. From the horizontal navigation menu of the Vulnerability Advisor dashboard, select Manage Policies.
  4. On the Manage policies page, select the policy changes that you want to make by toggling the ON/OFF radio buttons.
  5. Click Submit Policy.

Updating Vulnerability Advisor settings after admin password changes

  1. Set up the kubectl CLI. See Accessing your IBM Cloud Private cluster by using the kubectl CLI.
  2. Delete the old image pull secret.

    kubectl delete secret regsecret --namespace=kube-system
    
  3. Create a new image pull secret with the new admin password.

    kubectl create secret docker-registry regsecret --docker-server=<cluster_CA_domain>:8500 \
    --docker-username=<admin_username> --docker-password=<admin_password> \
    --docker-email=<admin_email> --namespace=kube-system
    
  4. Edit the deployment to set the new password.

    1. Open the reg-crawler deployment

      kubectl edit deployment reg-crawler --namespace=kube-system
      
    2. Change the value of the environment variable CFC_USER_PASSWORD to your new admin password.

    3. Save the changes.

Limitations of the Vulnerability Advisor