Deploying Black Duck and OpsSight to Google Kubernetes Engine

Owned by Jonathan Beakley (Unlicensed)
Last updated: Sept 29, 2023 by Chris Potts
3 min read

Introduction

This document describes how to install the OpsSight solution in Google's GKE (Google Kubernetes Engine). This page summarizes the /wiki/spaces/BDLM/pages/34242566, and adds additional information specifically relevant to GKE. Synopsys recommends familiarizing yourself with the installation documents, because they cover a broad range of topics that are not covered in this document.

Note: You must have purchased an OpsSight license to use OpsSight with Black Duck.

What is OpsSight?

OpsSight helps manage open-source risks associated with containers in orchestrated environments. The OpsSight solution consists of Synopsys Operator, OpsSight Connector, and a Black Duck server.

OpsSight Connector works with Black Duck to scan images deployed to your EKS cluster for open-source security vulnerabilities. The OpsSight Connector does the following tasks:

  • Discovers new objects in your cluster.
  • Determines content of objects in your cluster and sends signature information to one or more Black Duck instances.
  • Receives security-scan information back from Black Duck.
  • Annotates and labels cluster objects with security status.
  • Provides metrics about security scanning rates.

Black Duck provides the 'brain' of the OpsSight scanner, and detailed scan results are available in your Black Duck instance. When an image is scanned, OpsSight annotates and labels the associated containers with information, such as Black Duck policy violations and the number of vulnerabilities found. You can use these container annotations to enforce security policies, and to ensure that vulnerable containers are not deployed in production environments.

Prerequisites

Before you get started with OpsSight on GKE, you must satisfy the following requirements:

  1. Black Duck license.
    Black Duck is required for OpsSight, so a license key for Black Duck is necessary. 
    • If you are an existing Black Duck customer, contact your Account Manager and ask them about a license for OpsSight.
    • If you are a new OpsSight customer, contact opssight-info@synopsys.com and let us know that you're interested.

  2. GKE cluster.
    If you're new to GKE, follow Google's Quickstart for GKE to create your cluster. Consider the components of the OpsSight solution that you must run in your cluster when you size your environment. When you use all the defaults, CPU and Memory requirements for the components are as follows:
    • OpsSight Connector
      • 1.5 CPU 
      • 6GB RAM
    • Black Duck
      • 5 CPU
      • 16GB RAM


Synopsys recommends that you read the /wiki/spaces/BDLM/pages/34537683 and /wiki/spaces/BDLM/pages/34275718 sections of the OpsSight documentation to become familiar with the solution before you start the installation.

OpsSight installation

The Synopsys recommended method for installing the OpsSight solution in GKE is by using /wiki/spaces/BDLM/pages/34373652.  Synopsys Operator is a cloud-native administration utility for Synopsys software that assists in the deployment and management of Synopsys software in orchestrated environments such as GKE. Learn about Synopsys Operator /wiki/spaces/BDLM/pages/34373652To install all components of the OpsSight solution using the Synopsys Operator, follow the steps /wiki/spaces/BDLM/pages/34406790.

Authenticating with a private GCR

OpsSight cannot pull images that are stored in a private Google Container Registry.
Contact your authorized support representative for more information.

Post-Deployment: results, and performance tuning

The following information provides details about post-deployment activities:


Manually trigger your first scan

When the OpsSight Connector is up and running, it automatically scans containers.
If you deployed the sample application as part of the GKE quickstart, you can see it being scanned.

Consuming the results

Refer to the /wiki/spaces/BDLM/pages/34308463 to learn how to manage OpsSight data.
View pod annotations and labels on the Kubernetes Dashboard.

Performance tuning for the OpsSight Connector

The OpsSight Connector can be customized at every level. Tune OpsSight for your cluster by manipulating logging, memory usage, CPU, timeouts and other parameters.
When you first install OpsSight, typical defaults are pre-selected and taken in from your command line input. After OpsSight is running, you can manually edit the configuration parameters for OpsSight.

Refer to the /wiki/spaces/BDLM/pages/34373997 for more information.

Support

If you have questions, email opssight-info@synopsys.com



©2020 Synopsys, Inc. All Rights Reserved