开启 REST API
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Service metadata: name: neuvector-svc-controller-api namespace: cattle-neuvector-system spec: ports: - port: 10443 name: controller protocol: TCP type: NodePort selector: app: neuvector-controller-pod EOF
|
准备一些调用接口所需的环境变量
1 2 3 4 5 6 7 8 9
| _controllerIP_="neuvector-svc-controller-api" _controllerRESTAPIPort_="10443" _neuvectorUsername_="admin" _neuvectorPassword_="admin" _registryURL_="https://xxx" _registryUsername_="xxx" _registryPassword_="xxx" _repository_="library/nginx" _tag_="mainline"
|
调用接口进行镜像扫描
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| _loginAPI_="https://$_controllerIP_:$_controllerRESTAPIPort_/v1/auth" echo $_loginAPI_
_loginJSON_="{\"password\":{\"username\":\"$_neuvectorUsername_\",\"password\":\"$_neuvectorPassword_\"}}" echo $_loginJSON_
_TOKEN_=`(curl -s -f $_loginAPI_ -k -H "Content-Type:application/json" -d $_loginJSON_ || echo null) | jq -r '.token.token'` echo $_TOKEN_
_scanAPI_="https://$_controllerIP_:$_controllerRESTAPIPort_/v1/scan/repository" echo $_scanAPI_
_scanJSON_="{\"request\": {\"registry\": \"$_registryURL_\", \"username\": \"$_registryUsername_\", \"password\": \"$_registryPassword_\", \"repository\": \"$_repository_\", \"tag\": \"$_tag_\"}}" echo $_scanJSON_
curl -k "$_scanAPI_" -H "Content-Type: application/json" -H "X-Auth-Token: $_TOKEN_" -d "$_scanJSON_"
|
当 registry 为空的时候,NeuVector 会对本地镜像进行扫描,但只支持在 allinone 下使用,如果是在 K8s 部署的 NV 中调用接口进行本地扫描,会出现报错:
1 2
| 2024-11-06T09:14:15.179|INFO|CTL|rest.(*repoScanTask).Run: Scan repository start - image=library/nginx:mainline registry= 2024-11-06T09:14:15.24 |ERRO|CTL|rest.(*repoScanTask).Run: Failed to scan repository - error=container API call error image=library/nginx:mainline registry=
|
NeuVector 除了调用 API 接口进行镜像扫描外,还可以使用 Assets -> Registries 对接镜像仓库进行扫描,如果存在 Image scanned = false 的 Admission Control,只要完成两种扫描方式的其中一种,就可以顺利完成部署而不被规则所拦截。