KubeClarity: Install and test drive this cloud security scanning solution

After exploring the inner workings of KubeClarity as a cloud security scanning solution in the previous post, we've made significant progress with the KubeClarity series and are ready to get hands-on. 

In this blog post, I'll walk you through installing KubeClarity and setting it up to run a few vulnerability scans as a solid foundation to begin your KubeClarity adventure.

Installation: Start using KubeClarity’s security scanning today

KubeClarity understands there's no one-size-fits-all solution, so it offers multiple installation options. Install it locally, via Docker, or on a Kubernetes cluster-based system. For those using KubeClarity for the first time, I suggest going for a Docker-based installation to avoid platform-specific dependency issues. If you still want to try a local install on your platform, check out the README for more details.

In this post, I’ll focus on two types of installs: a Docker-based install followed by an install on a KinD cluster.

Docker-based installation

Let's proceed with the installation assuming you've cloned the KubeClarity repo and have a local Docker instance up and running.

Opting for a Docker-based installation is a breeze and will only take three commands to get KubeClarity security scanning up and running. The installation package also includes readily available synthetic demo data for testing. So, you'll be up and running in just a blink of an eye, go ahead and try it.

Build

First, run the below command to build UI and backend (the image tag is set using VERSION).

VERSION=test make docker-backend

Check out Figure-2 below to see what a successful run of this command should look like:

Run

Next, run the backend using demo data with the following command:

docker run -p 8080:8080 -e FAKE_RUNTIME_SCANNER=true -e FAKE_DATA=true -e ENABLE_DB_INFO_LOGS=true -e DATABASE_DRIVER=LOCAL ghcr.io/openclarity/kubeclarity:test run

Check out Figure-3 below to see what a successful run of this command should look like:

Launch UI

Next, open KubeClarity UI in the browser:

 http://localhost:8080

Notice the UI dashboard in Figure-4 below. It comes populated with sample data for you to visualize. Feel free to click around and play with various features supported on KubeClarity UI.

Wasn't that super easy? Technically, we can end this blog here because we have the vulnerability scanning software up and running. But if you want to take your security scanning further and run KubeClarity in a Kubernetes cluster with real data, let's jump in and try a KinD-based install next.

KinD-based installation

This section assumes you have KinD installed, up, and running on your machine. If you need a refresher on KinD, you can learn more about it here and install it. Make sure to install a version that is suitable for your platform. 

Note: KubeClarity currently does not support multi-platform Docker builds and is limited to the standard X86/AMD architectures. If you are on an ARM or some other unsupported platform, you should seek alternate installation means like EKS. Installing KubeClarity on an unsupported platform may not fully initialize its functional components. Let's dive in if you're ready to run KubeClarity in KinD.

Here is my KinD cluster configuration as an example. I’d recommend using the same configuration and following these instructions exactly if you are a first-time installer or new to KinD-based installs. Otherwise, skip these steps and jump straight to the next section to install KubeClarity if you already have a KinD cluster running.

Configure cluster

First, create a cluster config using the example code below:

cat > kind-cluster.yaml << EOF

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
 - role: control-plane
 - role: worker

EOF

Create cluster

Verify that the cluster is created by running the get nodes command as below:

kubectl get nodes

If you used the config file from above, you should see a similar output with a single control plane and two worker nodes like my example output as captured in Figure-5 below:

Now that the KinD cluster is running let’s install KubeClarity.

Install KubeClarity

KubeClarity helps you manage installations conveniently with Helm charts. Check here if you need a primer on Helm. To Install KubeClarity with Helm charts, you must run the following five steps outlined in the README.

 helm repo add kubeclarity https://openclarity.github.io/kubeclarity

Make sure we get the latest list of charts

 helm repo update

helm show values kubeclarity/kubeclarity > values.yaml

Check the configuration in values.yaml file from above and update the required values if needed. To enable and configure the supported SBOM generators and vulnerability scanning, you can check the "analyzer" and "scanner" config under the "vulnerability-scanner" section in Helm values. You can skip this step and leave it on default config settings.

helm install --values values.yaml --create-namespace kubeclarity kubeclarity/kubeclarity -n kubeclarity

Let's verify that the installation is complete and all pods are running. You should see four pods running in the “kubeclarity” namespace, like in Figure-6 below.

In my case, I have a load balancer deployed to the front end of my cluster, which is why you may see some extra pods. Installing a load balancer is completely optional.

Launch UI

To access the UI port forward as indicated by the KubeClarity, install instructions in the readme.

kubectl port-forward -n kubeclarity svc/kubeclarity-kubeclarity 9999:8080

Open KubeClarity UI in the browser: http://localhost:9999/

With a fresh installation, you will notice that the KubeClarity UI dashboard is a clean slate with empty data, as seen in Figure-7 below:

Let’s start a security scan and jump-start KubeClarity in the KinD cluster. Select the “Run Time” scan option in the UI from the left-hand pane, as shown in Figure-8 below:

Choose the options from the drop-down as seen in Figure-9 below, and start the scan by pressing the “Start Scan” button on the right side.

Feel free to click around and discover all the amazing features KubeClarity offers. It's sure to impress you!

Start your cloud security scanning with KubeClarity

Explore KubeClarity, navigate the UI screens, and experiment with its security features. You can see firsthand how KubeClarity identifies, reports, and offers solutions for addressing vulnerabilities in your container environments. Read up on our KubeClarity security scanning series for more information. Otherwise, enjoy the ride!

Next up

To help you understand how to use KubeClarity with your cloud applications, we'll walk through installing KubeClarity on an EKS cluster and deploying and scanning a custom application.

Pallavi Kalapatapu is a Principal engineer and open source advocate at Outshift, formerly Cisco’s Emerging Technology & Incubation organization.