开启 REST API
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-controller
namespace: cattle-neuvector-system
spec:
ports:
- port: 10443
name: controller
protocol: TCP
type: NodePort
selector:
app: neuvector-controller-pod
EOF
|
准备一些调用接口所需的环境变量
1
2
3
4
5
6
7
8
9
| nv_service_ip="neuvector-service-controller"
nv_service_port="10443"
nv_service_login_user="admin"
nv_service_login_password="admin"
image_registry_url="https://xxx"
image_registry_user="xxx"
image_registry_password="xxx"
image_repo="library/nginx"
image_tag="mainline"
|
调用接口进行镜像扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
api_login_url="https://$nv_service_ip:$nv_service_port/v1/auth"
echo $api_login_url
login_json="{\"password\":{\"username\":\"$nv_service_login_user\",\"password\":\"$nv_service_login_password\"}}"
echo $login_json
nv_token=`(curl -s -f $api_login_url -k -H "Content-Type:application/json" -d $login_json || echo null) | jq -r '.token.token'`
echo $nv_token
api_scan_repo_url="https://$nv_service_ip:$nv_service_port/v1/scan/repository"
echo $api_scan_repo_url
nv_scanned_json="{\"request\": {\"registry\": \"$image_registry_url\", \"username\": \"$image_registry_user\", \"password\": \"$image_registry_password\", \"repository\": \"$image_repo\", \"tag\": \"$image_tag\"}}"
echo $nv_scanned_json
curl -k "$api_scan_repo_url" -H "Content-Type: application/json" -H "X-Auth-Token: $nv_token" -d "$nv_scanned_json"
|
当 registry 为空的时候,NeuVector 会对本地镜像进行扫描,但只支持在 allinone 下使用,如果是在 K8s 部署的 NV 中调用接口进行本地扫描,会出现报错:
1
2
| 2024-11-06T09:14:15.179|INFO|CTL|rest.(*repoScanTask).Run: Scan repository start - image=library/nginx:mainline registry=
2024-11-06T09:14:15.24 |ERRO|CTL|rest.(*repoScanTask).Run: Failed to scan repository - error=container API call error image=library/nginx:mainline registry=
|
NeuVector 除了调用 API 接口进行镜像扫描外,还可以使用 Assets -> Registries 对接镜像仓库进行扫描,如果存在 Image scanned = false 的 Admission Control,只要完成两种扫描方式的其中一种,就可以顺利完成部署而不被规则所拦截。