As part of this series, we’ve covered all the foundational concepts for understanding the need for KubeClarity and the problems it can solve using SBOMs(Software Bill of Materials) and vulnerability scans to protect against software supply chain attacks. By now, you already have a high-level introduction to KubeClarity and where to find it. So In this blog post, I will take you through the internals of KubeClarity.
KubeClarity is a tool for detecting and managing Software Bill of Materials (SBOM) and vulnerabilities of container images and filesystems. It scans runtime Kubernetes clusters and CI/CD pipelines to generate SBOM documents and vulnerability reports for enhanced software supply chain security.
What’s up with the name KubeClarity? The KubeClarity project started with a focus on securing Kubernetes-based containerized deployments to improve visibility and clarity in securing supply chains.
Optimized for Kubernetes environments, KubeClarity can run in any containerized environment and scan clusters, pods, files, images, directories, RootFS, packages, and applications. You can run it both on-premises and in cloud environments.
SBOM analysis and vulnerability scans are definitive steps to securing software supply chains. However, running these tools can be complicated, and many unknowns exist. The KubeClarity software simplifies this process quite a bit for you.
KubeClarity can clarify and answer critical software supply chain security questions with its unique approach by optimizing the process for an accurate Software Bill of Materials (SBOM) detection and vulnerability scanning.
Several existing tools, like Syft, Trivy, Grype, etc., offer SBOM generation and or vulnerability scanning capabilities. Each tool uses specific formats and may be better suited to finding vulnerabilities in a specific programming language or OS distribution than the others. Some tools are only suitable for some types of scans or deployments. There isn’t a universal scanner or analyzer.
“KubeClarity’s approach is not reinventing the wheel by creating another SBOM generator or vulnerability scanner, but maximizing the value and integrating popular open-source analyzers and scanners to create a comprehensive and accurate vulnerability analysis.”
It can be visualized as a union of SBOM analyzers and vulnerability scanners with pre-and post-processing modules to generate a universal SBOM and a vulnerability dependency graph to navigate and fix vulnerabilities. Figure-2 below shows the steps in generating universal SBOM and the vulnerability dependency graph.
KubeClarity’s core features are expandable integrations, pluggable architecture, CI/CD pipeline automation, a user-friendly web portal, and developer API integrations. These are the ingredients that make KubeClarity unique:
Future blog posts in this series will go deeper into the architecture but let’s take a look at KubeClarity’s high-level architecture first. The architecture diagram in Figure-3 below shows how to make the secret sauce.
KubeClarity adopts a modular architecture with dedicated functional components that handle input scan requests via CLI/UI/API and then spawn worker jobs to run the scans and post the results to the relevant modules, as seen in Figure-3 above in the architecture diagram. Here is a list of key modules:
We will drill down into these modules and develop a deeper understanding of the design flows and API invocations in upcoming blog posts.
Change default configuration settings in values.yaml and customize deployments as needed. To enable and configure the supported SBOM generators and vulnerability scanners, set the “analyzer” and “scanner” config under the “vulnerability-scanner” sections. Regarding configurations, you can change one module’s settings without affecting others unless two modules have a dependency, in which case the file will say so. It’s easy to navigate and edit values.yaml as the config values are organized into sections, as shown below in Figure-5:
Installation and deployment configurations are straightforward to run using Helm charts. In the next blog post, we will go through hands-on instructions for installation steps to bring up a KubeClarity deployment in a Kubernetes cluster and locally in your Docker environments. There are several flavors of installation options, including:
A user-friendly and intuitive UI portal that helps kickstart scheduled scans navigate contents of SBOM documents, and observe vulnerability scans with contextual filters. There is also an option to fire up UI for local testing with synthetic data sources.
There’s a handy CLI you can run locally, which is great for CI/CD pipelines. It lets you generate SBOM and scan it for vulnerabilities based on images and directories, exporting results to the KubeClarity backend by transferring the state from CLI to the backend.
APIs expose all the functionality in the CLI and UI. Swagger API descriptions are great for integration and automation.
You can tweak more advanced knobs to customize your vulnerability scans. So we’ll save the topics for after we dive deep into the architecture and installation.
Putting it all together, Figure-6 below provides a mental map of KubeClarity and summarizes what it is, what it is not, and where it is valuable.
Are you getting restless to get your hands on KubeClarity? Well, the wait is over. Let’s get into the installation process right after this and get equipped with some hands-on instructions.
Pallavi Kalapatapu is a Principal Engineer and open source advocate in organization.