This document describes how to install the OpsSight solution (Black Duck and OpsSight Connector) in Amazon EKS (Amazon Elastic Container Services for Kubernetes).
The steps are from the OpsSight Installation Documentation and include any additional information that is relevant to EKS.
Synopsys recommends that you become familiar with the installation documentation because it covers several topics that are not covered on this page.
OpsSight helps to manage open source risks that are associated with containers in orchestrated environments.
The OpsSight solution consists of Synopsys Operator, OpsSight Connector, and a Black Duck server.
OpsSight Connector works with Black Duck to scan images that are deployed to your EKS cluster for open source security vulnerabilities.
The OpsSight Connector does the following tasks:
Black Duck provides the engine of the OpsSight scanner. Scan results are available in your Black Duck instance.
When an image is scanned, OpsSight annotates and labels the associated containers with information such as Black Duck policy violations and the number of vulnerabilities.
These container annotations are used to enforce security policies, and to ensure that vulnerable containers are not deployed in production environments.
Synopsys recommends reading the Before You Begin and Overview sections of the OpsSight documentation so that you are familiar with the solution before you start the installation.
The following list describes prerequisites for OpsSight on EKS:
Black Duck license
A license key is required because Blackduck provides the engine for OpsSight.
If you are an existing Black Duck customer, contact your Synopsys account manager and ask them about a license for OpsSight. |
EKS cluster
To configure your EKS cluster, follow Amazon's guide for Get Started on EKS to configure your master and workers.
Consider the components of the OpsSight solution that you require in your cluster when you plan and size your environment.
When you use all defaults, the following CPU and memory requirements for the components are:
Deploying the complete OpsSight solution was tested on workers by using the following EC2 instance types:
|
Synopsys recommends that you use Synopsys Operator to install the OpsSight solution in your EKS cluster.
Synopsys Operator is a cloud-native administration utility for Synopsys software that is used for deploying and managing Synopsys software in cloud-native environments such as EKS.
Click here to refer to the steps for installing all components of the OpsSight solution by using the Synopsys Operator.
When you install OpsSight into your EKS cluster, you might need to scan images that originate from ECR.
These include image updates that Amazon periodically pushes to the cluster.
ECR authentication tokens expire 12 hours after they're generated.
To avoid having to modify the OpsSight configmap with new tokens every 12 hours, Synopsys provides a component that gets, applies, and refreshes the temporary tokens in the OpsSight configmap.
To install the OpsSight-Cloud-Auth component, use the following process, inputting the information for an IAM user with the EC2ContainerRegistryReadOnly policy applied.
Pre-populate the OpsSight configmap with a placeholder for the ECR registry from which you pull images.
OpsSight ConfigMap#Locate the OpsSight configmap kubectl get cm --all-namespaces #Make note of the Namespace where the "opssight" configmap lives #Edit the ConfigMap, adding a placeholder for the registry kubectl edit cm -n <<namespace>> opssight -o yaml #Inside "ImageFacade":{PrivateDockerRegistries:[]}, add the ECR Registries to scan, leaving the password blank. "ImageFacade":{"PrivateDockerRegistries":[{"URL":"accountid.dkr.ecr.region.amazonaws.com","User":"AWS","Password": ""}]} |
Install the OpsSight-Cloud-Auth component by using kubectl as shown in the following example:
#Install with kubectl kubectl create -f opssight-cloud-auth-ecr.yaml |
The default credential refresh interval is 60 minutes. To change the default value, edit the REFRESH_IN_MINUTES
value.
An error message might display in the opssight-cloud-auth container. The error message is dismissed when the tokens refresh.
The following information provides details about post-deployment activities.
When the OpsSight Connector is started, it automatically starts to scan containers.
Refer to the OpsSight Usage Guide to learn how to manage OpsSight data.
View pod annotations and labels on the Kubernetes Dashboard.
You can manually edit the configuration parameters for OpsSight.
Refer to the OpsSight Configuration Guide for more information.
To deploy a sample application and see OpsSight working, refer to the Launch a Guest Book Application tutorial on the EKS Getting Started page. |