Quay Container Security Operator (CSO)

Scan pod images with the Red Hat Quay Container Security Operator (CSO).

The Container Security Operator brings Quay and Clair metadata to Kubernetes / Red Hat OpenShift, allowing us to scan images for vulnerabilities and compliance issues. This helps ensure that the images used in our pods are secure and compliant with relevant standards.

Installing the Quay CSO Operator

  • Open a browser window and log in to the Red Hat OpenShift Container Platform web console.

  • From the Administrator perspective, click Operators, then OperatorHub.

  • In the Filter by keyword field, type Quay.

operatorhub quay
  • Select the Red Hat Quay Container Security Operator tile and click Install.

cso install
  • Select stable-3.8 from the list of available Update Channel options. Choose All namespaces on the cluster (default) as the installation mode. Choose Automatic update approval.

cso install params
  • Click Install to start the installation process.

Checking the image vulnerabilities through the Red Hat OpenShift web console

  • Deploy a vulnerable image. For this example, we are going to deploy an old httpd vulnerable image.

# Pull the image
podman pull registry.redhat.io/rhel8/httpd-24:1-30

# Tag the image
podman tag registry.redhat.io/rhel8/httpd-24:1-30 ${QUAY_HOSTNAME}/olleb/httpd-24:1-30

# Push it to our Quay registry
podman push ${QUAY_HOSTNAME}/olleb/httpd-24:1-30
  • Navigate to the Quay Registry Endpoint and select the olleb/httpd-24 repository that has been automatically created when we pulled the image before.

  • Select Settings and then click Make Public.

  • Open the Red Hat OpenShift Container Platform web console and create a new project by clicking Projects then Create Project. Name the project as vuln-httpd and then click Create.

vulnhttpd project
  • In the vuln-httpd project, deploy the vulnerable image by clicking Workloads then Deployments. Click Create Deployment.

  • Replace the default image value with the image from our Quay registry. Set replicas as desired and set httpd as the custom name.

yaml
  • Click Create.

  • Red Hat OpenShift will start the deployment and create the pod. Go to Workloads then Pods and select one of the httpd pods. Select the Vulnerabilities tab.

pods
vuln tab
  • Click on the security scan results.

vulnimgmanifest

Additionally, after installing the CSO operator, a new status related to Image Vulnerabilities is shown on the cluster overview.

overview
  • Click Image Vulnerabilities.

vuln
  • Click View all and then click on the Manifest related to olleb/httpd-24.

vulnlist

You will be redirected to the Quay Security Scanner Dashboard.

quayredirect