《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.9环境中验证

Clair 是什么？

Clair 最早是 CoreOS 公司开发的一个容器镜像漏洞扫描工具，后来 CoreOS 被红帽收购，Clair 成为 Red Hat 主导的容器镜像安全漏洞扫描的开源软件 。
作为一款开源软件，Clair 即可单独运行，也可集成到其他软件中运行。红帽镜像注册产品 Quay 就内置了 Clair 作为镜像库的扫描软件。

在 OpenShift 安装 Clair 环境

1. 创建项目

$ oc new-project quay-enterprise

2. 创建 clairv4-postgres.yaml 文件，内容如下：

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: clairv4-postgres
  namespace: quay-enterprise
  labels:
    quay-component: clairv4-postgres
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clairv4-postgres
  template:
    metadata:
      labels:
        quay-component: clairv4-postgres
    spec:
      volumes:
        - name: postgres-data
          persistentVolumeClaim:
            claimName: clairv4-postgres
      containers:
        - name: postgres
          image: postgres:11.5
          imagePullPolicy: "IfNotPresent"
          resources:
            limits:
              cpu: '2'
              memory: 6Gi
            requests:
              cpu: '1'
              memory: 4Gi
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: "postgres"
            - name: POSTGRES_DB
              value: "clair"
            - name: POSTGRES_PASSWORD
              value: "postgres"
            - name: PGDATA
              value: "/etc/postgres/data"
          volumeMounts:
            - name: postgres-data
              mountPath: "/etc/postgres"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: clairv4-postgres
  labels:
    quay-component: clairv4-postgres
spec:
  accessModes:
    - "ReadWriteOnce"
  resources:
    requests:
      storage: "10Gi"
    volumeName: "clairv4-postgres"

3. 执行命令，根据 clairv4-postgres.yaml 创建对象。

$ oc create -f clairv4-postgres.yaml
$ oc expose deployment/clairv4-postgres

4. 创建 config.yaml 文件，内容如下：

introspection_addr: :8089
http_listen_addr: :8080
log_level: debug
indexer:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  scanlock_retry: 10
  layer_scan_concurrency: 5
  migrations: true
matcher:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  max_conn_pool: 100
  run: ""
  migrations: true
  indexer_addr: clair-indexer
notifier:
  connstring: host=clairv4-postgres port=5432 dbname=clair user=postgres password=postgres sslmode=disable
  delivery: 1m
  poll_interval: 5m
  migrations: true

5. 执行命令，根据 config.yaml 文件创建 secret 。

$ oc create secret generic clairv4-config-secret --from-file=./config.yaml

6. 创建 clair-combo.yaml 文件，内容如下：

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    quay-component: clair-combo
  name: clair-combo
spec:
  replicas: 1
  selector:
    matchLabels:
      quay-component: clair-combo
  template:
    metadata:
      labels:
        quay-component: clair-combo
    spec:
      containers:
        - image: quay.io/projectquay/clair:4.1.0
          imagePullPolicy: IfNotPresent
          name: clair-combo
          env:
            - name: CLAIR_CONF
              value: /clair/config.yaml
            - name: CLAIR_MODE
              value: combo
          ports:
            - containerPort: 8080
              name: clair-http
              protocol: TCP
            - containerPort: 8089
              name: clair-intro
              protocol: TCP
          volumeMounts:
            - mountPath: /clair/
              name: config
      imagePullSecrets:
        - name: redhat-pull-secret
      restartPolicy: Always
      volumes:
        - name: config
          secret:
            secretName: clairv4-config-secret
---
apiVersion: v1
kind: Service
metadata:
  name: clairv4
  labels:
    quay-component: clair-combo
spec:
  ports:
    - name: clair-http
      port: 80
      protocol: TCP
      targetPort: 8080
    - name: clair-introspection
      port: 8089
      protocol: TCP
      targetPort: 8089
  selector:
    quay-component: clair-combo
  type: ClusterIP

7. 执行命令，根据 clair-combo.yaml 文件创建对象。

$ oc apply -f clair-combo.yaml 
$ oc expose svc/clairv4

8. 查看部署的资源

$ oc get all
NAME                                   READY   STATUS    RESTARTS   AGE
pod/clair-combo-6754dcfd75-wwbt9       1/1     Running   0          34s
pod/clairv4-postgres-b9f679dc6-fhmcs   1/1     Running   0          2m51s

NAME                       TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)           AGE
service/clairv4            ClusterIP   10.217.4.159   <none>        80/TCP,8089/TCP   34s
service/clairv4-postgres   ClusterIP   10.217.5.64    <none>        5432/TCP          119s

NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/clair-combo        1/1     1            1           34s
deployment.apps/clairv4-postgres   1/1     1            1           2m51s

NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/clair-combo-6754dcfd75       1         1         1       34s
replicaset.apps/clairv4-postgres-b9f679dc6   1         1         1       2m51s

NAME                               HOST/PORT                                                                 PATH   SERVICES   PORT         TERMINATION   WILDCARD
route.route.openshift.io/clairv4   clairv4-quay-enterprise.crc-dzk9v-master-0.crc.fa7bdknrdb3y.instruqt.io          clairv4    clair-http                 None

安装 Clair 客户端

从 https://github.com/quay/clair/releases 下载 Clair 客户端。

$ curl -L https://github.com/quay/clair/releases/download/v4.3.5/clairctl-linux-amd64 -o ~/clairctl
$ chmod +x clairctl
$ PATH=$PATH:~/

使用 Clair 对容器镜像进行扫描

$ CLAIR_HOST=http://$(oc get route clairv4 -o jsonpath={.spec.host})
$ clairctl report -host ${CLAIR_HOST} redhat/ubi8
$ clairctl report -host ${CLAIR_HOST} redhat/ubi8:8.4-206

参考

https://quay.github.io/clair/whatis.html
https://github.com/rhthsa/openshift-demo/blob/main/clair4-on-ocp.md