Introduction

This document describes how to install the OpsSight solution (Black Duck and OpsSight Connector) in Amazon EKS (Amazon Elastic Container Services for Kubernetes).
The steps are from the OpsSight Installation Documentation and include any additional information that is relevant to EKS.
Synopsys recommends that you become familiar with the installation documentation because it covers several topics that are not covered on this page.

Overview

OpsSight helps to manage open source risks that are associated with containers in orchestrated environments.
The OpsSight solution consists of Synopsys Operator, OpsSight Connector, and a Black Duck server.

OpsSight Connector works with Black Duck to scan images that are deployed to your EKS cluster for open source security vulnerabilities.
The OpsSight Connector does the following tasks:

• Discovers new objects in your cluster.
• Determines content of objects in your cluster and sends signature information to one or more Black Duck instances.
• Receives security scan information from Black Duck.
• Annotates and labels cluster objects with security status.
• Provides metrics about security scanning rates.

Black Duck provides the engine of the OpsSight scanner. Scan results are available in your Black Duck instance.
When an image is scanned, OpsSight annotates and labels the associated containers with information such as Black Duck policy violations and the number of vulnerabilities.
These container annotations are used to enforce security policies, and to ensure that vulnerable containers are not deployed in production environments.

Prerequisites

Synopsys recommends reading the Before You Begin and Overview sections of the OpsSight documentation so that you are familiar with the solution before you start the installation.
The following list describes prerequisites for OpsSight on EKS:

• Black Duck license
  A license key is required because Blackduck provides the engine for OpsSight.
  

  If you are an existing Black Duck customer, contact your Synopsys account manager and ask them about a license for OpsSight. If you are a new OpsSight customer, contact opssight-info@synopsys.com and let us know you're interested.

  
  

• EKS cluster
  To configure your EKS cluster, follow Amazon's guide for Get Started on EKS to configure your master and workers.
  Consider the components of the OpsSight solution that you require in your cluster when you plan and size your environment. 

  When you use all defaults, the following CPU and memory requirements for the components are: OpsSight Connector (1.5 CPU and 6GB RAM) Black Duck (5 CPU and 16GB RAM) Deploying the complete OpsSight solution was tested on workers by using the following EC2 instance types:  T2 - t2.2xlarge M4 - m4.2xlarge M5 - m5.2xlarger

  
  

• Access key and secret access key are required for a IAM user with the EC2ContainerRegistryReadOnly policy applied.
  This is used with the OpsSight Cloud Auth component to refresh ECR credentials in the OpsSight configmap, which provides the ability to scan images deployed from ECR.
  

OpsSight and Black Duck deployment

Synopsys recommends that you use Synopsys Operator to install the OpsSight solution in your EKS cluster.
Synopsys Operator is a cloud-native administration utility for Synopsys software that is used for deploying and managing Synopsys software in cloud-native environments such as EKS.
Click here to refer to the steps for installing all components of the OpsSight solution by using the Synopsys Operator.

EKS-Specific install: Installing the OpsSight-Cloud-Auth component

When you install OpsSight into your EKS cluster, you might need to scan images that originate from ECR.
These include image updates that Amazon periodically pushes to the cluster.

ECR authentication tokens expire 12 hours after they're generated.
To avoid having to modify the OpsSight configmap with new tokens every 12 hours, Synopsys provides a component that gets, applies, and refreshes the temporary tokens in the OpsSight configmap. 

To install the OpsSight-Cloud-Auth component, use the following process, inputting the information for an IAM user with the EC2ContainerRegistryReadOnly policy applied.

1. Pre-populate the OpsSight configmap with a placeholder for the ECR registry from which you pull images.

   OpsSight ConfigMap

   
   

   #Locate the OpsSight configmap kubectl get cm --all-namespaces #Make note of the Namespace where the "opssight" configmap lives #Edit the ConfigMap, adding a placeholder for the registry kubectl edit cm -n <<namespace>> opssight -o yaml #Inside "ImageFacade":{PrivateDockerRegistries:[]}, add the ECR Registries to scan, leaving the password blank. "ImageFacade":{"PrivateDockerRegistries":[{"URL":"accountid.dkr.ecr.region.amazonaws.com","User":"AWS","Password": ""}]}

   
   

2. Download the opssight-cloud-auth-ecr YAML file from the OpsSight connector GitHub page. 
3. Populate the following values in the YAML file:
   • AWS_ACCESS_KEY_ID: (Required) The IAM user access key ID.
   • AWS_SECRET_ACCESS_KEY_ID: (Required) The base64 encoded value for the secret access key.
   • AWS_ACCOUNT_IDS: (Required) The AWS account ID, without the dashes.
   • AWS_REGION: (Required) The region where your ECR registry is located. Default value is us-east-1.
   • AWS_ASSUME_ROLE: (Optional) Enter a role ARN for acquiring ECR tokens.
   • AWS_SESSION_TOKEN: (Optional) Enter session tokens for your IAM user if policies mandate it.

4. Install the OpsSight-Cloud-Auth component by using kubectl as shown in the following example:

   #Install with kubectl kubectl create -f opssight-cloud-auth-ecr.yaml

   
   The default credential refresh interval is 60 minutes. To change the default value, edit the REFRESH_IN_MINUTES value.
   
   An error message might display in the opssight-cloud-auth container. The error message is dismissed when the tokens refresh.

Post-Deployment: results, and performance tuning

The following information provides details about post-deployment activities.

Manually trigger your first scan

When the OpsSight Connector is started, it automatically starts to scan containers.

Consuming the results

Refer to the OpsSight Usage Guide to learn how to manage OpsSight data.
View pod annotations and labels on the Kubernetes Dashboard.

Performance tuning for the OpsSight Connector

You can manually edit the configuration parameters for OpsSight.
Refer to the OpsSight Configuration Guide for more information.