Question 21: Image Vulnerability Scanning

Problem Statement

Solve this question on: ssh cks8930

The Vulnerability Scanner trivy is installed on your main terminal. Use it to scan the following images for known CVEs:

  • nginx:1.16.1-alpine
  • k8s.gcr.io/kube-apiserver:v1.18.0
  • k8s.gcr.io/kube-controller-manager:v1.18.0
  • docker.io/weaveworks/weave-kube:2.7.0

Write all images that don't contain the vulnerabilities CVE-2020-10878 or CVE-2020-1967 into /opt/course/21/good-images on cks8930.

Solution

Step 1: Scan Images with Trivy

First, let's scan each image using trivy and check for the specific CVEs: 

➜ ssh cks8930

➜ candidate@cks8930:~# trivy image nginx:1.16.1-alpine | grep -E 'CVE-2020-10878|CVE-2020-1967'
...
│ libcrypto1.1  │ CVE-2020-1967  │ HIGH 
│ libssl1.1     │ CVE-2020-1967  │

Scan the Kubernetes components:

➜ candidate@cks8930:~# trivy image k8s.gcr.io/kube-apiserver:v1.18.0 | grep -E 'CVE-2020-10878|CVE-2020-1967'
...
│                        │ CVE-2020-10878

➜ candidate@cks8930:~# trivy image k8s.gcr.io/kube-controller-manager:v1.18.0 | grep -E 'CVE-2020-10878|CVE-2020-1967'
...
│                        │ CVE-2020-10878

Scan the Weave Net image:

➜ candidate@cks8930:~# trivy image docker.io/weaveworks/weave-kube:2.7.0 | grep -E 'CVE-2020-10878|CVE-2020-1967'
➜ candidate@cks8930:~#
Step 2: Analyze Results

From the scan results, we can see:

  • nginx:1.16.1-alpine - Contains CVE-2020-1967
  • k8s.gcr.io/kube-apiserver:v1.18.0 - Contains CVE-2020-10878
  • k8s.gcr.io/kube-controller-manager:v1.18.0 - Contains CVE-2020-10878
  • docker.io/weaveworks/weave-kube:2.7.0 - No matching CVEs found
Step 3: Write Results to File

Create the output file with the only image that doesn't contain the specified CVEs: 

➜ candidate@cks8930:~# echo "docker.io/weaveworks/weave-kube:2.7.0" > /opt/course/21/good-images

Verify the contents:

➜ candidate@cks8930:~# cat /opt/course/21/good-images
docker.io/weaveworks/weave-kube:2.7.0
Summary of findings:
  • Only docker.io/weaveworks/weave-kube:2.7.0 is free from both CVE-2020-10878 and CVE-2020-1967
  • All other images contain at least one of the specified vulnerabilities
  • The results have been written to /opt/course/21/good-images
Security Note: Regular vulnerability scanning of container images is crucial for maintaining a secure Kubernetes environment. Always scan images before deploying them to production and keep track of known vulnerabilities in your container images.
Back to Questions List