grype VS Kyverno

Trivy Operator : A simple and comprehensive vulnerability scanner for containers and other artifacts. It detects vulnerabilities of OS packages (Alpine, Debian, CentOS, etc.) and application dependencies (pip, npm, yarn, composer, etc.) (Alternatives : Grype, Snyk, Clair, Anchore, Twistlock)

Besides pointing pentester tools like metasploit at yourself, there are some nice scanners out there.

https://github.com/quay/clair

https://github.com/anchore/grype/

Using Grype:

In the lab to follow, we'll see how vulnerability scanning can be conveniently achieved with Grype and how various systematic techniques can be applied to start securing our microservices at the container image level.

Scanning your container images for vulnerabilities is a good approach. But this scanning is not one time job, it should be done regularly (weekly, monthly, etc.) You need to follow vulnerability reports and fix all of the vulnerabilities as soon as possible. I recommend some open-source tools that could be useful: Trivy, Docker-Bench, Grype.

Grype is another popular open source tool from Anchore. Working with SBOM files, Grype scans container images and filesystems for vulnerabilities. Grype supports different output formats for vulnerabilities and custom templates for output.

Grype (https://github.com/anchore/grype)

Grype will allow you to scan a container to see if you have any vulnerable packages.

https://github.com/anchore/grype 5.6k stars, updated 3 days ago

Anyway, I haven’t checked for sure as I’m away from laptop but it should be possible to use something like Kyverno to block that operation. We had to do similar in the past to hotfix a bug in our CLI tool. I wrote a blog post about it that might give you an idea: https://www.giantswarm.io/blog/restricting-cluster-admin-permissions

Cosign is used for signing containers through a variety of different methods. It has strong integration with other open source tools, such as Kyverno.

cosign: https://docs.sigstore.dev/cosign/overview/ kyverno: https://kyverno.io/

Kyverno - Kubernetes Native Policy Management

You could use a policy tool like kyverno or OPA.

Kyverno is present in the management cluster;

You do still have to create a policy for every namespace, but don't have to worry about labeling individual pods. We're starting to move to Helm/kustomize for our namespaces to deploy default things like network policies to each one, and we're also starting to use kyverno more, which I think is a little more purpose built for this type of thing than metacontroller is.

I knew it was unsupported so about 6 months ago I had started an effort to switch to Kyverno, which is far better and actually supported. The version of Kyverno I was using had a v1beta1 AdmissionController. Fortunately that was in a helm chart so easily caught by pluto before my upgrade.

Kyverno Kyverno is a policy engine designed for Kubernetes, Kyverno policies can validate, mutate, and generate Kubernetes resources plus ensure OCI image supply chain security.