开启 REST API
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-api
namespace: cattle-neuvector-system
spec:
ports:
- port: 10443
name: controller
protocol: TCP
type: NodePort
selector:
app: neuvector-controller-pod
EOF
|
准备一些调用接口所需的环境变量
1
2
3
4
5
6
7
8
9
| _controllerIP_="neuvector-svc-controller-api"
_controllerRESTAPIPort_="10443"
_neuvectorUsername_="admin"
_neuvectorPassword_="admin"
_registryURL_="https://xxx"
_registryUsername_="xxx"
_registryPassword_="xxx"
_repository_="library/nginx"
_tag_="mainline"
|
调用接口进行镜像扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
_loginAPI_="https://$_controllerIP_:$_controllerRESTAPIPort_/v1/auth"
echo $_loginAPI_
_loginJSON_="{\"password\":{\"username\":\"$_neuvectorUsername_\",\"password\":\"$_neuvectorPassword_\"}}"
echo $_loginJSON_
_TOKEN_=`(curl -s -f $_loginAPI_ -k -H "Content-Type:application/json" -d $_loginJSON_ || echo null) | jq -r '.token.token'`
echo $_TOKEN_
_scanAPI_="https://$_controllerIP_:$_controllerRESTAPIPort_/v1/scan/repository"
echo $_scanAPI_
_scanJSON_="{\"request\": {\"registry\": \"$_registryURL_\", \"username\": \"$_registryUsername_\", \"password\": \"$_registryPassword_\", \"repository\": \"$_repository_\", \"tag\": \"$_tag_\"}}"
echo $_scanJSON_
curl -k "$_scanAPI_" -H "Content-Type: application/json" -H "X-Auth-Token: $_TOKEN_" -d "$_scanJSON_"
|
当 registry 为空的时候,NeuVector 会对本地镜像进行扫描,但只支持在 allinone 下使用,如果是在 K8s 部署的 NV 中调用接口进行本地扫描,会出现报错:
1
2
| 2024-11-06T09:14:15.179|INFO|CTL|rest.(*repoScanTask).Run: Scan repository start - image=library/nginx:mainline registry=
2024-11-06T09:14:15.24 |ERRO|CTL|rest.(*repoScanTask).Run: Failed to scan repository - error=container API call error image=library/nginx:mainline registry=
|
NeuVector 除了调用 API 接口进行镜像扫描外,还可以使用 Assets -> Registries 对接镜像仓库进行扫描,如果存在 Image scanned = false 的 Admission Control,只要完成两种扫描方式的其中一种,就可以顺利完成部署而不被规则所拦截。