After exploring the inner workings of KubeClarity in the previous post, we’ve made significant progress with the KubeClarity series and are ready to get hands-on with it. In this blog post, I’ll walk you through installing KubeClarity and setting it up to run a few vulnerability scans as a solid foundation to begin your KubeClarity adventure.
KubeClarity understands there’s no one-size-fits-all solution, so it offers multiple installation options. Install it locally, via Docker, or on a Kubernetes cluster-based system. For those using KubeClarity for the first time, I suggest going for a Docker-based installation to avoid platform-specific dependency issues. If you still want to try a local install on your platform, check out the README for more details.
In this post, I’ll focus on two types of installs: a Docker-based install followed by an install on a KinD cluster.
Opting for a Docker-based installation is a breeze and will only take three commands to get KubeClarity up and running. The installation package also includes readily available synthetic demo data for testing. So, you’ll be up and running in just a blink of an eye, go ahead and try it.
VERSION=test make docker-backend
Check out Figure-2 below to see what a successful run of this command should look like:
Next, run the backend using demo data with the following command:
docker run -p 8080:8080 -e FAKE_RUNTIME_SCANNER=true -e FAKE_DATA=true -e ENABLE_DB_INFO_LOGS=true -e DATABASE_DRIVER=LOCAL ghcr.io/openclarity/kubeclarity:test run
Next, open KubeClarity UI in the browser:
Notice the UI dashboard in Figure-4 below. It comes populated with sample data for you to visualize. Feel free to click around and play with various features supported on KubeClarity UI.
Wasn’t that super easy? Technically, we can end this blog here because we have the software up and running. But if you want to take it further and run KubeClarity in a Kubernetes cluster with real data, let’s jump in and try a KinD-based install next.
This section assumes you have KinD installed, up, and running on your machine. If you need a refresher on KinD, you can learn more about it here and install it. Make sure to install a version that is suitable for your platform.
Note: KubeClarity currently does not support multi-platform Docker builds and is limited to the standard X86/AMD architectures. If you are on an ARM or some other unsupported platform, you should seek alternate installation means like EKS. Installing KubeClarity on an unsupported platform may not fully initialize its functional components. Let’s dive in if you’re ready to run KubeClarity in KinD.
Here is my KinD cluster configuration as an example. I’d recommend using the same configuration and following these instructions exactly if you are a first-time installer or new to KinD-based installs. Otherwise, skip these steps and jump straight to the next section to install KubeClarity if you already have a KinD cluster running.
First, create a cluster config using the example code below:
cat > kind-cluster.yaml << EOF kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane - role: worker EOF
Verify that the cluster is created by running the get nodes command as below:
kubectl get nodes
If you used the config file from above, you should see a similar output with a single control plane and two worker nodes like my example output as captured in Figure-5 below:
Now that the KinD cluster is running let’s install KubeClarity.
KubeClarity helps you manage installations conveniently with Helm charts. Check here if you need a primer on Helm. To Install KubeClarity with Helm charts, you must run the following five steps outlined in the README.
helm repo add kubeclarity https://openclarity.github.io/kubeclarity
Make sure we get the latest list of charts
helm repo update
helm show values kubeclarity/kubeclarity > values.yaml
Check the configuration in
values.yaml file from above and update the required values if needed. To enable and configure the supported SBOM generators and vulnerability scanners, you can check the “analyzer” and “scanner” config under the “vulnerability-scanner” section in Helm values. You can skip this step and leave it on default config settings.
helm install --values values.yaml --create-namespace kubeclarity kubeclarity/kubeclarity -n kubeclarity
Let’s verify that the installation is complete and all pods are running. You should see four pods running in the “kubeclarity” namespace, like in Figure-6 below.
In my case, I have a load balancer deployed to the front end of my cluster which is why you may see some extra pods. Installing a load balancer is completely optional.
To access the UI port forward as indicated by the KubeClarity, install instructions in the readme.
kubectl port-forward -n kubeclarity svc/kubeclarity-kubeclarity 9999:8080
Open KubeClarity UI in the browser: http://localhost:9999/
With a fresh installation, you will notice that the KubeClarity UI dashboard is a clean slate with empty data, as seen in Figure-7 below:
Let’s start a scan and jump-start KubeClarity in the KinD cluster. Select the “Run Time” scan option in the UI from the left-hand pane, as shown in Figure-8 below:
Choose the options from the drop-down as seen in Figure-9 below, and start the scan by pressing the “Start Scan” button on the right side.
Feel free to click around and discover all the amazing features KubeClarity offers. It’s sure to impress you!
Explore KubeClarity, navigate the UI screens, and experiment with its security features. You can see firsthand how KubeClarity identifies, reports, and offers solutions for addressing vulnerabilities in your container environments. Enjoy the ride!
To help you understand how to use KubeClarity with your cloud applications, we’ll walk through installing KubeClarity on an EKS cluster and deploying and scanning a custom application.
Pallavi Kalapatapu is a Principal engineer and open source advocate in Cisco’s Emerging Technology & Incubation organization.