Deploying Black Duck OpsSight in Pivotal Container Service (VMware Tanzu)

Introduction

This document describes how to install the Black Duck OpsSight solution in Pivotal Container Service (PKS).
The steps are from the OpsSight Installation Documentation information that is relevant to PKS.
Synopsys recommends that you become familiar with the installation documentation because it covers several topics that are not covered here.

Overview

OpsSight helps to manage open source risks that are associated with containers in orchestrated environments. The OpsSight solution consists of Synopsys Operator, OpsSight Connector, and a Black Duck server.

OpsSight Connector works with Black Duck to scan images that are deployed to your PKS cluster for open source security vulnerabilities.
The OpsSight Connector does the following tasks:

  • Discovers new objects in your cluster.

  • Determines the content of objects in your cluster and sends signature information to one or more Black Duck instances.

  • Receives security scan information from Black Duck.

  • Annotates and labels cluster objects with security status.

  • Provides metrics about security scanning rates.

Black Duck provides the engine for the OpsSight scanner. Scan results are available in your Black Duck instance.
When an image is scanned, OpsSight annotates and labels the associated containers with information such as Black Duck policy violations and the number of vulnerabilities.
These container annotations are used to enforce security policies, and to ensure that vulnerable containers are not deployed in production environments.

Prerequisites

Synopsys recommends reading the Before You Begin and Overview sections of the OpsSight documentation so that you are familiar with the solution before you start the installation.
The following list describes prerequisites for OpsSight on PKS:

  • Black Duck license
    A license key is required because Blackduck provides the engine for OpsSight.

If you are an existing Black Duck customer, contact your Synopsys account manager and ask them about a license for OpsSight.
If you are a new OpsSight customer, email opssight-info@synopsys.com and let us know you're interested.

  • PKS cluster
    To configure your PKS cluster, follow Pivotal's guide for Get Started on PKS to provision, operate, and manage enterprise-grade Kubernetes clusters using BOSH and Pivotal Ops Manager.

    Consider the components of the OpsSight solution that you require in your cluster when you plan and size your environment.

When you use all defaults, the CPU and memory requirements for the components are as follows:

  • OpsSight Connector (1.5 CPU and 6GB RAM)

  • Black Duck (5 CPU and 16GB RAM

Deploying the complete OpsSight solution was tested on workers by using the following EC2 instance types:

  • T2 - t2.2xlarge

  • M4 - m4.2xlarge

  • M5 - m5.2xlarger

OpsSight and Black Duck deployment

Synopsys recommends that you use Synopsys Operator to install the OpsSight solution in your PKS cluster.
Synopsys Operator is a cloud-native administration utility for Synopsys software that is used for deploying and managing Synopsys software in cloud-native environments such as PKS.
Click here to refer to the steps for installing all components of the OpsSight solution by using the Synopsys Operator.

Deploying Black Duck on Pivotal

Click here to learn how to deploy Black Duck in Pivotal Container Services (PKS).

Post-Deployment: results, and performance tuning

The following information provides details about post-deployment activities.

  • Manually trigger your first scan.
    When the OpsSight Connector is started, it automatically starts to scan containers.

  • Consuming the results.
    Refer to the OpsSight Usage Guide to learn how to manage OpsSight data.
    View pod annotations and labels on the Kubernetes Dashboard.

  • Performance tuning for the OpsSight Connector.
    You can manually edit the configuration parameters for OpsSight.
    Refer to the OpsSight Configuration Guide for more information.

To deploy a sample application of OpsSight working, refer to the Launch a Guest Book Application tutorial on the PKS Getting Started page.