This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploy on Kubernetes using Helm

The supported method for deploying Anchore Enterprise on Kubernetes is with Helm. The Anchore Enterprise Helm Chart includes configuration options for a full Enterprise deployment.

Always consult the chart README and release notes prior to deployment or upgrade as this contains the most current information on deployment configuration.

About the Helm Chart

Release Notes can be found in the README in the chart repository.

The chart is split into global and service specific configurations for the core features, as well as global and services specific configurations for the optional Enterprise services.

The anchoreConfig section of the values file contains the application configuration for Anchore Enterprise. This includes the database connection information, credentials, and other application settings.
Anchore Enterprise services run as a kubernetes deployment when installed with the Helm chart. Each service has its own section in the values file for making customizations and configuring the kubernetes deployment spec.

For a description of each service component see Anchore Enterprise Service Overview

If you are moving from the Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, see here for further guidance.

Prerequisites

See the README in the chart repository for prerequisites before starting the deployment.

Install the Chart

This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the Configuration section of the chart README for additional guidance on production deployments.

Create the namespace: The steps to follow will require the namespace to have been created already.
```
export NAMESPACE=anchore

kubectl create namespace ${NAMESPACE}
```

Create a Kubernetes Secret for License File: Generate a Kubernetes secret to store your Anchore Enterprise license file.

export NAMESPACE=anchore
export LICENSE_PATH="license.yaml"

kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE}

Create a Kubernetes Secret for DockerHub Credentials: Generate a Kubernetes secret containing the Anchore-provided DockerHub credentials. These credentials are required for authenticated access to the private Anchore Enterprise repositories on DockerHub in order to pull/download the Docker images used by the deployment. Contact Anchore Support to obtain access.

export NAMESPACE=anchore
export DOCKERHUB_PASSWORD="password"
export DOCKERHUB_USER="username"
export DOCKERHUB_EMAIL="[email protected]"

kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE}

Add Chart Repository & Deploy Anchore Enterprise: Create a custom values file, named anchore_values.yaml, to override any chart parameters. Refer to the Parameters section for available options.

Default passwords are specified in the chart and must be changed before deploying. The password for the admin user is set via the anchoreConfig.default_admin_password parameter in your custom anchore_values.yaml file. This value is only used during initial creation of the admin user; the password can be changed post-installation via the UI.

The RELEASE variable should not contain any dots.

export NAMESPACE=anchore
export RELEASE=anchore

helm repo add anchore https://charts.anchore.io
helm install ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yaml

The helm install command will initiate the installation of Anchore Enterprise into the specified namespace using the chart parameters defined in your custom anchore_values.yaml file. Upon completion, the pod status can be checked per the below and should reflect READY 1/1 and STATUS Running for each pod.

kubectl get pods -n ${NAMESPACE}

Example output:

NAME                                                READY   STATUS    RESTARTS   AGE
anchore-enterprise-analyzer-5f7f97ffcf-6rtrn        1/1     Running   0          5m
anchore-enterprise-api-587fb89495-sl2xn             1/1     Running   0          5m
anchore-enterprise-catalog-7767d58d4f-6dsv7         1/1     Running   0          5m
anchore-enterprise-datasyncer-558959869f-qp9nx      1/1     Running   0          5m
anchore-enterprise-notifications-64ccbf9864-pl629   1/1     Running   0          5m
anchore-enterprise-policy-6dc88b5df6-vrrcw          1/1     Running   0          5m
anchore-enterprise-reports-569587dbf5-jjfz2         1/1     Running   0          5m
anchore-enterprise-reportsworker-6bc7f7b4dd-7fnrn   1/1     Running   0          5m
anchore-enterprise-simplequeue-7f848498df-64bxq     1/1     Running   0          5m
anchore-enterprise-ui-6fd7d78449-2vc6l              1/1     Running   0          5m
anchore-postgresql-0                                1/1     Running   0          5m
anchore-ui-redis-master-0                           1/1     Running   0          5m

There should be 12 Anchore Enterprise pods in total, which includes PostgreSQL and Redis.

This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the External Database section of the chart README for details on using an external database.

Post-Installation Steps: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities and the UI will show errors until the sync is complete, which can take an hour or more based on the enabled feeds. The sync process will take place in the background, and while it’s in progress, anchorectl can be installed and the below commands can be used to check system status.

Export the required parameters to invoke anchorectl:

export NAMESPACE=anchore
export RELEASE=anchore
export ANCHORECTL_URL=http://localhost:8228
export ANCHORECTL_USERNAME="admin"
export ANCHORECTL_PASSWORD="<default_admin_password>"

Port-forward API and UI traffic to the associated pods. Run each command in a separate terminal window in the background:

kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-api 8228:8228 --address 0.0.0.0 --request-timeout=0 &
kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-ui 3000:80 --address 0.0.0.0 --request-timeout=0 &

Gather the status of Anchore Enterprise services. anchorectl defaults to the user ${ANCHORECTL_USERNAME} and to the password ${ANCHORECTL_PASSWORD} automatically if set:

anchorectl system status

Example output:

 ✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE         │ HOST ID            │ URL                         │ UP   │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ analyzer        │ anchore-quickstart │ http://analyzer:8228        │ true │ available      │ 5270       │ 5.27.0       │
│ policy_engine   │ anchore-quickstart │ http://policy-engine:8228   │ true │ available      │ 5270       │ 5.27.0       │
│ apiext          │ anchore-quickstart │ http://api:8228             │ true │ available      │ 5270       │ 5.27.0       │
│ reports         │ anchore-quickstart │ http://reports:8228         │ true │ available      │ 5270       │ 5.27.0       │
│ reports_worker  │ anchore-quickstart │ http://reports-worker:8228  │ true │ available      │ 5270       │ 5.27.0       │
│ data_syncer     │ anchore-quickstart │ http://data-syncer:8228     │ true │ available      │ 5270       │ 5.27.0       │
│ simplequeue     │ anchore-quickstart │ http://queue:8228           │ true │ available      │ 5270       │ 5.27.0       │
│ notifications   │ anchore-quickstart │ http://notifications:8228   │ true │ available      │ 5270       │ 5.27.0       │
│ catalog         │ anchore-quickstart │ http://catalog:8228         │ true │ available      │ 5270       │ 5.27.0       │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘

For more information about configuring anchorectl, see Using Environment Variables.

The port forwarding shown above is intended only for POC purposes or an initial Anchore Enterprise installation and is not recommended for Production use. In a Production environment, an ingress controller or load balancer is recommended for exposing the Anchore Enterprise API and UI services. See the cloud-provider–specific Helm deployment guides (AKS, EKS, GKE, OpenShift) for ingress examples.

List all Helm releases using helm list -n ${NAMESPACE}.

Next Steps

Now that you have Anchore Enterprise running, you can begin to learning more about Anchore Enterprise architecture, Anchore concepts, and Anchore usage.

To learn more about Anchore Enterprise, go to Overview
To learn more about Anchore Enterprise Concepts, go to Concepts

1 - Deploying Anchore Enterprise on Azure Kubernetes Service (AKS)

This document will walk you through the deployment of Anchore Enterprise in an Azure Kubernetes Service (AKS) cluster and expose it on the public Internet.

Prerequisites

A running AKS cluster with worker nodes launched. See AKS Documentation for more information on this setup.
Helm client on local host.
AnchoreCTL installed on a local host.

Once you have an AKS cluster up and running with worker nodes launched, you can verify via the following command.

$ kubectl get nodes

NAME                       STATUS   ROLES   AGE     VERSION
aks-nodepool1-28659018-0   Ready    agent   4m13s   v1.30.3
aks-nodepool1-28659018-1   Ready    agent   4m15s   v1.30.3
aks-nodepool1-28659018-2   Ready    agent   4m6s    v1.30.3

Anchore Enterprise Helm Chart

Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:

Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)

To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore Enterprise; this document is intended to cover the minimum required changes to successfully deploy Anchore Enterprise in AKS.

For this installation, an NGINX ingress controller will be used. You can read more about Kubernetes Ingress in AKS here.

Azure Flexible Postgres

For production deployments we generally favor cloud-provider managed databases over using the built-in chart. This ensures the database is isolated from workloads allowing it to use CPU & Memory without contention. We suggest selecting a storage option that allows for automatic size increase.

If you choose to use Azure Flexible Postgres ensure that you make the following changes for compatibility with Anchore Enterprise:

pgbouncer.enabled: false - It is very important that this setting be turned off!
idle_in_transaction_session_timeout: 0
max_connections should be at least 500. The default is based on the amount of instance memory. 16GB or larger instances will have high enough max_connections setting by default.

Refer to configuration settings in the chart for Amazon RDS: https://github.com/anchore/anchore-charts/tree/main/stable/enterprise#external-database-requirements (Configuring an external database in the chart is the essentially the same for RDS or Azure Flexible Postgres).

Configurations

For Azure Application Gateway Ingress Controller (AGIC) Ingress add-on make the following changes below to your anchore_values.yaml

Ingress

ingress:
  enabled: true
  apiPaths:
    - /v2/
    - /version/
  uiPath: /
  apiHosts:
    - anchore.mydomain.com
  uiHosts:
    - anchore.mydomain.com
  annotations:
    # See https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-annotations for more annotations
    kubernetes.io/ingress.class: azure/application-gateway

Configuring ingress is optional. It is used throughout this guide to expose the Anchore Enterprise deployment outside of your Kubernetes cluster.

If your load balancer or reverse proxy terminates TLS on behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to True in the Enterprise UI configuration. Without these settings, the UI may not correctly detect the HTTPS connection, which could result in unexpected behavior with session cookies and authentication. For more details, see Enterprise UI Configuration.

Anchore Enterprise API Service

# Pod configuration for the anchore api service.
api:
  # kubernetes service configuration for anchore external API
  service:
    type: NodePort
    port: 8228
    annotations: {}

Changed the service type to NodePort.

Anchore Enterprise UI

ui:
  # kubernetes service configuration for anchore UI
  service:
    type: NodePort
    port: 80
    annotations: {}
    sessionAffinity: ClientIP

Changed the service type to NodePort.

Deploy Anchore Enterprise

Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.

Create a Kubernetes secret containing your license file:

kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>

Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise software:

kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>

Deploy Anchore Enterprise:

helm repo add anchore https://charts.anchore.io
helm install anchore anchore/enterprise -f anchore_values.yaml

It will take the system several minutes to bootstrap. You can check the status of the pods by running kubectl get pods:

$ kubectl get pods

NAME                                                              READY   STATUS    RESTARTS   AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs                      1/1     Running   0          13m
anchore-enterprise-api-754cdb48bc-x8kxt                           1/1     Running   0          13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb                        1/1     Running   0          13m
anchore-enterprise-datasyncer-558959869f-qp9nx                    1/1     Running   0          13m
anchore-enterprise-notifications-65bd45459f-q28h2                 1/1     Running   0          13m
anchore-enterprise-policy-657fdfd7f6-gzkmh                        1/1     Running   0          13m
anchore-enterprise-reports-596cb47894-q8g49                       1/1     Running   0          13m
anchore-enterprise-reportsworker-6bc7f7b4dd-7fnrn                 1/1     Running   0          13m
anchore-enterprise-simplequeue-98b95f985-5xqcv                    1/1     Running   0          13m
anchore-enterprise-ui-6794bbd47-vxljt                             1/1     Running   0          13m
anchore-postgresql-0                                              1/1     Running   0          13m
anchore-ui-redis-master-0                                         1/1     Running   0          13m
mangy-serval-nginx-ingress-controller-788dd98c8b-jv2wg            1/1     Running   0          21m
mangy-serval-nginx-ingress-default-backend-8686cd585b-4m2bt       1/1     Running   0          21m

We can see that NGINX ingress controller has been installed as well from the previous step. You can view the services by running the following command:

$ kubectl get services | grep ingress

mangy-serval-nginx-ingress-controller                LoadBalancer   10.0.30.174    40.114.26.147   80:31176/TCP,443:30895/TCP                     22m
mangy-serval-nginx-ingress-default-backend           ClusterIP      10.0.243.221   <none>          80/TCP                                         22m

The above output shows that the IP address of the NGINX ingress controller is 40.114.26.147. Going to this address in the browser will take you to the Anchore Enterprise login page.

Anchore Enterprise System

Check the status of the system with AnchoreCTL to verify all of the Anchore Enterprise services are up:

Read more on Deploying AnchoreCTL.

ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status

Anchore Enterprise Feeds

It can take 5 minutes or more to fetch all of the vulnerability feeds from the Anchore Data Service. Check on the status of feeds with AnchoreCTL:

ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list

It is not uncommon for the above command to return [] while the initial feed sync occurs.

Once the vulnerability feed sync is complete, Anchore Enterprise can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.

2 - Deploying Anchore Enterprise on Amazon EKS

This section provides information on how to deploy Anchore Enterprise onto Amazon EKS. Here is recommended architecture on AWS EKS:

Prerequisites

You’ll need a running Amazon EKS cluster with worker nodes. See EKS Documentation for more information on this setup.

Once you have an EKS cluster up and running with worker nodes launched, you can verify it using the following command:

$ kubectl get nodes
NAME                             STATUS   ROLES    AGE   VERSION
ip-192-168-2-164.ec2.internal    Ready    <none>   10m   v1.30.3-eks-a737599
ip-192-168-35-43.ec2.internal    Ready    <none>   10m   v1.30.3-eks-a737599
ip-192-168-55-228.ec2.internal   Ready    <none>   10m   v1.30.3-eks-a737599

In order to deploy the Anchore Enterprise services, you’ll then need the Helm client installed on local host. Anchore maintains a Helm chart to simplify the software deployment process.

To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore. The following is intended to cover the recommended changes for successfully deploying Anchore Enterprise on Amazon EKS.

Configuration

The following configurations should be used when deploying on EKS.

RDS

Anchore recommends utilizing Amazon RDS for a managed database service, rather than the Anchore chart-managed postgres. For information on how to configure for an external RDS database, see Amazon RDS. It is suggested to allow the storage to automatically increase as needed.

S3 Object Storage

Anchore Enterprise supports the use of S3 object storage for archival of SBOMs, configuration details can be found here. Consider using the iamauto: True option to utilise IAM roles for access to S3.

PVCs

Anchore Enterprise by default uses ephemeral storage for pods but we recommend configuring Analyzer scratch space, at a minimum. Further details can be found here.

Anchore generally recommends providing EBS-backed storage for analyzer scratch of the gp3 type. Note that you will need to follow the AWS guide on storing K8s volumes with Amazon EBS. Once the CSI driver is configured for your cluster, you will then need to configure your helm chart with values similar to this:

analyzer:   
  scratchVolume:
    details:
      ephemeral:
        volumeClaimTemplate:
          metadata: {}
          spec:
            accessModes:
            - ReadWriteOnce
            resources:
              requests:
                # must be 3xANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB + analyser_cache_size
                # Setting this to 100G would mean the largest image you can scan is 30G (not counting analysis cache if you choose to configure that)
                storage: 100Gi
            # this would refer to whatever your storage class was named
            storageClassName: "gp3"

Ingress

Anchore recommends using the AWS load balancer controller or EKS Auto Mode (https://docs.aws.amazon.com/eks/latest/userguide/auto-configure-alb.html) for ingress.

We also suggest using a vanity domain (anchore.mydomain.com in the example below) over TLS with Route53 & ACM however this goes beyond the scope of this document.

Here is a sample manifest for use with the AWS LBC or EKS Auto Mode ALB ingress:

ingress:
  enabled: true
  apiPaths:
    - /v2/
    - /version/
  uiPath: /
  ingressClassName: alb
  annotations:
    # See https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md for further customization of annotations
    alb.ingress.kubernetes.io/scheme: internet-facing
  # If you do not plan to bring your own hostname (i.e. use the AWS supplied CNAME for the load balancer) then you can leave apiHosts & uiHosts as empty lists:
  #apiHosts: []
  #uiHosts: []
  # If you plan to bring your own hostname then you'll likely want to populate them as follows:
  apiHosts:
    - anchore.mydomain.com
  uiHosts:
    - anchore.mydomain.com

There are alternative ways to access services within your EKS cluster besides LBC ingress.

You must also configure/change the following from ClusterIP to NodePort:

Anchore Enterprise API Service

# Pod configuration for the Anchore Enterprise API service.
api:
  # kubernetes service configuration for anchore external API
  service:
    type: NodePort
    port: 8228
    annotations: {}

Anchore Enterprise UI Service

ui:
  # kubernetes service configuration for anchore UI
  service:
    type: NodePort
    port: 80
    annotations: {}
    sessionAffinity: ClientIP

Amazon ALB Parameters

Users of ALB may want to align the timeout between gunicorn & ALB. The AWS ALB Connection idle timeout defaults to 60 seconds. The Anchore Enterprise Helm charts have a timeout setting that defaults to 5 seconds which should be aligned with the ALB timeout setting. Sporatic HTTP 502 errors may be emitted by the ALB if the timeouts are not in alignment. Please see this reference:

Changed timeout_keep_alive from 5 to 65 to align with the ALB’s default timeout of 60.

anchoreConfig:
  server:
    timeout_keep_alive: 65

Install Anchore Enterprise

Deploy Anchore Enterprise by following the instructions here.

Verify Ingress

Run the following command for details on the deployed ingress resource using the ELB:

$ kubectl describe ingress
Name:             anchore-enterprise
Namespace:        default
Address:          xxxxxxx-default-anchoreen-xxxx-xxxxxxxxx.us-east-1.elb.amazonaws.com
Default backend:  default-http-backend:80 (<none>)
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     
        /v2/*   anchore-enterprise-api:8228 (192.168.42.122:8228)
        /*      anchore-enterprise-ui:80 (192.168.14.212:3000)
Annotations:
  alb.ingress.kubernetes.io/scheme:  internet-facing
  kubernetes.io/ingress.class:       alb
Events:
  Type    Reason  Age   From                    Message
  ----    ------  ----  ----                    -------
  Normal  CREATE  14m   alb-ingress-controller  LoadBalancer 904f0f3b-default-anchoreen-d4c9 created, ARN: arn:aws:elasticloadbalancing:us-east-1:077257324153:loadbalancer/app/904f0f3b-default-anchoreen-d4c9/4b0e9de48f13daac
  Normal  CREATE  14m   alb-ingress-controller  rule 1 created with conditions [{    Field: "path-pattern",    Values: ["/v2/*"]  }]
  Normal  CREATE  14m   alb-ingress-controller  rule 2 created with conditions [{    Field: "path-pattern",    Values: ["/*"]  }]

The output above shows that an ELB has been created. Next, try navigating to the specified URL in a browser:

Verify Anchore Enterprise Service Status

Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:

Read more on Deploying AnchoreCTL.

ANCHORECTL_URL=http://xxxxxx-default-anchoreen-xxxx-xxxxxxxxxx.us-east-1.elb.amazonaws.com ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status

3 - Deploying Anchore Enterprise on Google Kubernetes Engine (GKE)

Get an understanding of deploying Anchore Enterprise on a Google Kubernetes Engine (GKE) cluster and exposing it on the public Internet.

When using Google Cloud, consider utilizing Cloud SQL for PostgreSQL as a managed database service.

Prerequisites

A running GKE cluster with worker nodes launched. See GKE Documentation for more information on this setup.
Helm client installed on local host.
AnchoreCTL installed on local host.

Once you have a GKE cluster up and running with worker nodes launched, you can verify it by using the following command.

$ kubectl get nodes
NAME                                                STATUS   ROLES    AGE   VERSION
gke-standard-cluster-1-default-pool-c04de8f1-hpk4   Ready    <none>   78s   v1.30.3-gke.1639000
gke-standard-cluster-1-default-pool-c04de8f1-m03k   Ready    <none>   79s   v1.30.3-gke.1639000
gke-standard-cluster-1-default-pool-c04de8f1-mz3q   Ready    <none>   78s   v1.30.3-gke.1639000

Anchore Enterprise Helm Chart

Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:

Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)

To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore Enterprise. The following is intended to cover the minimum required changes to successfully deploy Anchore Enterprise on Google Kubernetes Engine.

For this deployment, a GKE ingress controller will be used. You can read more about Kubernetes Ingress with a GKE Ingress Controller here.

Configurations

Make the following changes below to your anchore_values.yaml

Ingress

ingress:
  enabled: true
  apiPaths:
    - /v2/*
  uiPath: /*

Configuring ingress is optional. It is used throughout this guide to expose the Anchore Enterprise deployment on the public internet.

Anchore Enterprise API Service

api:
  replicaCount: 1
  # kubernetes service configuration for anchore external API
  service:
    type: NodePort
    port: 8228
    annotations: {}

Changed the service type to NodePort.

Anchore Enterprise UI

ui:
  # kubernetes service configuration for anchore UI
  service:
    type: NodePort
    port: 80
    annotations: {}
    sessionAffinity: ClientIP

Changed the service type to NodePort.

Anchore Enterprise Deployment

Create Secrets

Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.

Create a Kubernetes secret containing your license file:

kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>

Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise software:

kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>

Deploy Anchore Enterprise:

helm repo add anchore https://charts.anchore.io
helm install anchore anchore/enterprise -f anchore_values.yaml

It will take the system several minutes to bootstrap. You can check the status of the pods by running kubectl get pods:

$ kubectl get pods
NAME                                                              READY   STATUS    RESTARTS   AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs                      1/1     Running   0          13m
anchore-enterprise-api-754cdb48bc-x8kxt                           1/1     Running   0          13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb                        1/1     Running   0          13m
anchore-enterprise-datasyncer-558959869f-qp9nx                    1/1     Running   0          13m
anchore-enterprise-notifications-65bd45459f-q28h2                 1/1     Running   0          13m
anchore-enterprise-policy-657fdfd7f6-gzkmh                        1/1     Running   0          13m
anchore-enterprise-reports-596cb47894-q8g49                       1/1     Running   0          13m
anchore-enterprise-reportsworker-6bc7f7b4dd-7fnrn                 1/1     Running   0          13m
anchore-enterprise-simplequeue-98b95f985-5xqcv                    1/1     Running   0          13m
anchore-enterprise-ui-6794bbd47-vxljt                             1/1     Running   0          13m
anchore-postgresql-0                                              1/1     Running   0          13m
anchore-ui-redis-master-0                                         1/1     Running   0          13m

Run the following command for details on the deployed ingress resource:

$ kubectl describe ingress
Name:             anchore-enterprise
Namespace:        default
Address:          34.96.64.148
Default backend:  default-http-backend:80 (10.8.2.6:8080)
Rules:
  Host  Path  Backends
  ----  ----  --------
  *
        /v2/*   anchore-enterprise-api:8228 (<none>)
        /*      anchore-enterprise-ui:80 (<none>)
Annotations:
  kubernetes.io/ingress.class:            gce
  ingress.kubernetes.io/backends:         {"k8s-be-31175--55c0399dc5755377":"HEALTHY","k8s-be-31274--55c0399dc5755377":"HEALTHY","k8s-be-32037--55c0399dc5755377":"HEALTHY"}
  ingress.kubernetes.io/forwarding-rule:  k8s-fw-default-anchore-enterprise--55c0399dc5750
  ingress.kubernetes.io/target-proxy:     k8s-tp-default-anchore-enterprise--55c0399dc5750
  ingress.kubernetes.io/url-map:          k8s-um-default-anchore-enterprise--55c0399dc5750
Events:
  Type    Reason  Age   From                     Message
  ----    ------  ----  ----                     -------
  Normal  ADD     15m   loadbalancer-controller  default/anchore-enterprise
  Normal  CREATE  14m   loadbalancer-controller  ip: 34.96.64.148

The output above shows that an Load Balancer has been created. Navigate to the specified URL in a browser:

Anchore Enterprise System

Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:

Read more on Deploying AnchoreCTL.

ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status

Anchore Enterprise Feeds

It can take some time to fetch all of the vulnerability feeds from the upstream data sources. Check on the status of feeds with AnchoreCTL:

ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list

It is not uncommon for the above command to return [] while the initial feed sync occurs.

4 - Deploying Anchore Enterprise on OpenShift

This document will walk through the deployment of Anchore Enterprise on an OpenShift 4.x cluster and expose it on the public internet.

Prerequisites

A running OpenShift 4.x cluster. Read more about the installation requirements in the OpenShift Container Platform documentation.
Helm client and server installed and configured with your cluster.
AnchoreCTL installed on local host.

Anchore Enterprise Helm Chart

Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise installation of the chart will include the following:

Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)

OpenShift Configurations

Create a New Project

Create a new project called anchore-enterprise:

oc new-project anchore-enterprise

Create Secrets

Two secrets are required for an Anchore Enterprise deployment.

Create a secret for the license file:

oc create secret generic anchore-enterprise-license --from-file=license.yaml=license.yaml

Create a secret for pulling the images:

oc create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<username> --docker-password=<password> --docker-email=<email>

Verify these secrets are in the correct namespace (anchore-enterprise):

oc describe secret <secret-name>

Link ImagePullSecret

Link the above Docker registry secret to the default service account:

oc secrets link default anchore-enterprise-pullcreds --for=pull --namespace=anchore-enterprise

Verify this by running the following:

oc describe sa

Validate your OpenShift SCC. Based on the security constraints of your environment, you may need to change SCC: oc adm policy add-scc-to-user anyuid -z default.

Anchore Enterprise Configurations

Create a custom anchore_values.yaml file for your Anchore Enterprise deployment:

# NOTE: This is not a production ready values file for an openshift deployment.

securityContext:
  fsGroup: null
  runAsGroup: null
  runAsUser: null
postgresql:
  primary:
    containerSecurityContext:
      enabled: false
    podSecurityContext:
      enabled: false
ui-redis:
  master:
    podSecurityContext:
      enabled: false
    containerSecurityContext:
      enabled: false

Install Software

Run the following commands to install the software:

helm repo add anchore https://charts.anchore.io
helm install anchore -f anchore_values.yaml anchore/enterprise

It will take the system several minutes to bootstrap. You can check the status of the pods by running oc get pods:

$ oc get pods
NAME                                                READY   STATUS    RESTARTS   AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs        1/1     Running   0          13m
anchore-enterprise-api-754cdb48bc-x8kxt             1/1     Running   0          13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb          1/1     Running   0          13m
anchore-enterprise-datasyncer-585997576d-2fgkg      1/1     Running   0          13m
anchore-enterprise-notifications-65bd45459f-q28h2   1/1     Running   0          13m
anchore-enterprise-policy-657fdfd7f6-gzkmh          1/1     Running   0          13m
anchore-enterprise-reports-596cb47894-q8g49         1/1     Running   0          13m
anchore-enterprise-reportsworker-6fb4f55455-f2ts2   1/1     Running   0          13m
anchore-enterprise-simplequeue-98b95f985-5xqcv      1/1     Running   0          13m
anchore-enterprise-ui-6794bbd47-vxljt               1/1     Running   0          13m
anchore-postgresql-0                                1/1     Running   0          13m
anchore-ui-redis-master-0                           1/1     Running   0          13m

Create Route Objects

Create two route objects in the OpenShift console to expose the UI and API services on the public internet:

Route configuration is optional. It is used throughout this guide to expose the Anchore Enterprise deployment on the public internet.

If your route or reverse proxy terminates TLS on behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to True in the Enterprise UI configuration. Without these settings, the UI may not correctly detect the HTTPS connection, which could result in unexpected behavior with session cookies and authentication. For more details, see Enterprise UI Configuration.

API Route

api-config

UI Route

ui-config

Routes

routes

Verify by navigating to the anchore-enterprise-ui route hostname. You should see the Anchore Enterprise login page.

Anchore Enterprise System

First you will need to retrieve the admin password. This is stored as a secret during the helm install process:

oc get secret anchore-enterprise-env -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' -n anchore | base64 -d

You can customize your Helm anchore_values.yaml file to use an existing/custom secret rather than have Helm generate one for you with a generated password.

Verify the API route hostname with AnchoreCTL:

Read more on Deploying AnchoreCTL.

ANCHORECTL_URL=http://<anchore-api-anchore.apps.rm2.thpm.p1.openshiftapps.com>\
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl system status

Anchore Vulnerability Data

Anchore has a datasyncer service that pulls the vulnerability and other data sources such as the ClamAV malware database into your Anchore Enterprise deployment. You can check on the status of these feeds using AnchoreCTL:

ANCHORECTL_URL=http://<anchore-ui-anchore.apps.rm2.thpm.p1.openshiftapps.com> \
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl feed list

Please continue to the Vulnerability Management section of our documentation for more information about Vulnerability Management within Anchore Enterprise.