Versions Compared

Old Version 22

changes.mady.by.user Ray O'Meara

Saved on

compared with

New Version Current

changes.mady.by.user Chris Potts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

This document describes how to install the OpsSight solution (Black Duck and OpsSight Connector) in Amazon EKS (Amazon Elastic Container Services for Kubernetes).
The steps are from the OpsSight Installation Documentation and include any additional information that is relevant to EKS.
Synopsys recommends that you become familiar with the installation documentation because it covers several topics that are not covered on this page.

Overview

OpsSight helps to manage open source risks that are associated with containers in orchestrated environments.
The OpsSight solution consists of Synopsys Operator, OpsSight Connector, and a Black Duck server.

OpsSight Connector works with Black Duck to scan images that are deployed to your EKS cluster for open source security vulnerabilities.
The OpsSight Connector does the following tasks:

...


Synopsys recommends reading the Before You Begin and Overview sections of the OpsSight documentation so that you are familiar with the solution before you start the installation.
The following list describes prerequisites for OpsSight on EKS:

  • Black Duck license
    A license key is required because Blackduck provides the engine for OpsSight.

    Info

    If you are an existing Black Duck customer, contact your Synopsys account manager and ask them about a license for OpsSight.
    If you are a new OpsSight customer, contact opssight-info@synopsys.com and let us know you're interested.


  • EKS cluster
    To configure your EKS cluster, follow Amazon's guide for Get Started on EKS to configure your master and workers.
    Consider the components of the OpsSight solution that you require in your cluster when you plan and size your environment. 

    Info

    When you use all defaults, the following CPU and memory requirements for the components are:

    • OpsSight Connector (1.5 CPU and 6GB RAM)
    • Black Duck (5 CPU and 16GB RAM)

    Deploying the complete OpsSight solution was tested on workers by using the following EC2 instance types: 

    • T2 - t2.2xlarge
    • M4 - m4.2xlarge
    • M5 - m5.2xlarger


  • Access key and secret access key are required for a IAM user with the EC2ContainerRegistryReadOnly policy applied.
    This is used with the OpsSight Cloud Auth component to refresh ECR credentials in the OpsSight configmap, which provides the ability to scan images deployed from ECR.

OpsSight and Black Duck deployment

Synopsys recommends that you use Synopsys Operator to install the OpsSight solution in your EKS cluster.
Synopsys Operator is a cloud-native administration utility for Synopsys software that is used for deploying and managing Synopsys software in cloud-native environments such as EKS.
Click here to refer to the steps for installing all components of the OpsSight solution by using the Synopsys Operator.

EKS-Specific install: Installing the OpsSight-Cloud-Auth component

...

  1. Pre-populate the OpsSight configmap with a placeholder for the ECR registry from which you pull images.

    OpsSight ConfigMap


    Code Block
    themeRDark
    #Locate the OpsSight configmap
kubectl get cm --all-namespaces
 
#Make note of the Namespace where the "opssight" configmap lives
#Edit the ConfigMap, adding a placeholder for the registry
kubectl edit cm -n <<namespace>> opssight -o yaml
 
#Inside "ImageFacade":{PrivateDockerRegistries:[]}, add the ECR Registries to scan, leaving the password blank.
"ImageFacade":{"PrivateDockerRegistries":[{"URL":"accountid.dkr.ecr.region.amazonaws.com","User":"AWS","Password": ""}]}


  2. Download the opssight-cloud-auth-ecr YAML file from the OpsSight connector GitHub page
  3. Populate the following values in the YAML file:
    • AWS_ACCESS_KEY_ID: (Required) The IAM user access key ID.
    • AWS_SECRET_ACCESS_KEY_ID: (Required) The base64 encoded value for the secret access key.
    • AWS_ACCOUNT_IDS: (Required) The AWS account ID, without the dashes.
    • AWS_REGION: (Required) The region where your ECR registry is located. Default value is us-east-1.
    • AWS_ASSUME_ROLE: (Optional) Enter a role ARN for acquiring ECR tokens.
    • AWS_SESSION_TOKEN: (Optional) Enter session tokens for your IAM user if policies mandate it.

  4. Install the OpsSight-Cloud-Auth component by using kubectl as shown in the following example:

    Code Block
    themeRDark
    #Install with kubectl 
kubectl create -f opssight-cloud-auth-ecr.yaml


    The default credential refresh interval is 60 minutes. To change the default value, edit the REFRESH_IN_MINUTES value.
    An error message might display in the opssight-cloud-auth container. The error message is dismissed when the tokens refresh.

Post-Deployment: results, and performance tuning

...

You can manually edit the configuration parameters for OpsSight.
Refer to the OpsSight Configuration Guide for more information.


Info

To deploy a sample application and see OpsSight working, refer to the Launch a Guest Book Application tutorial on the EKS Getting Started page.

...