A binary for building and scanning (with Trivy) a Kubernetes image using the kubernetes-sigs/image-builder repo or the eschercloud-image-builder repo where new functionality is required but not yet merged upstream.
Baski also supports signing images and will tag the image with a digest so that a verification can be done against images.
The scanning and signing functionality are separate from the build meaning these can be used on none Kubernetes images.
| Cloud Provider |
|---|
| Openstack |
More clouds could be supported but may not be maintained by EscherCloudAI.
Run the binary with a config file or see the help for a list of flags.
In the example config, not all fields are required and any fields that are not required are left
blank - unless the fields are enabled by a bool, for example in the Nvidia options where none are required
if enable-nvidia-support is set to false,
The following are valid locations for the baski.yaml config file are:
/tmp/
/etc/baski/
$HOME/.baski/For more flags and more info, run baski --help
If you wish to run it locally then you can either build the binary and run it, or you can run it in docker by doing the following:
docker build -t baski:v0.0.0 -f docker/baski/Dockerfile .
docker run --name baski -it --rm --env OS_CLOUD=some-cloud -v /path/to/openstack/clouds.yaml:/home/baski/.config/openstack/clouds.yaml -v /path/to/baski.yaml:/tmp/baski.yaml baski:v0.0.0
#Then from in here
baski build / scan / signBaski server has been built so that all scan results are easily obtainable from an S3 endpoint. Run the server as
follows, and then you can query the server using the API.
The CVE results are searched for based on the locations generated during the sign single and sign multiple
docker build -t baski-server:v0.0.0 -f docker/server/Dockerfile .
docker run --name baski-server -e BASKI_S3_ENDPOINT=https://SOME-ENDPOINT -e BASKI_S3_ACCESSKEY=SOME-ACCESS-KEY -e BASKI_S3_SECRETKEY=SOME-SECRET-KEY -e BASKI_S3_BUCKET="baski" -e BASKI_ENABLE_DOGKAT="true" -e BASKI_DOGKAT_BUCKET="dogkat" -p 8080 -it --rm baski-server:v0.0.0
curl http://127.0.0.1:DOCKER-PORT/api/v1/scan/SOME-IMAGE-ID- Automatically clear up resources when ctrl-c is pressed.
- Make this work for more than just Openstack so that it's more useful to the community around the Kubernetes Image Builder?
- Add metrics/telemetry to the process.
- Create all option to allow whole process?
The scripts and documentation in this project are released under the Apache v2 License.