Runtime Inventory
Overview
Using Anchore’s runtime inventory agents provides Anchore Enterprise access to what images are being used in your deployments. This can help give insight into where vulnerabilities or policy violations are in your production workloads.
Agents
Anchore provides agents for collecting the inventory of different container runtime environments:
General Runtime Configuration
Inventory Time-To-Live
As part of reporting on your runtime environment, Anchore maintains an active record of the containers, the images they run, and other related metadata based on time they were last reported by an inventory agent.
Anchore can be configured to remove this metadata after a configurable Time-To-Live, or to keep only the most recent data.
services:
catalog:
runtime_inventory:
image_ttl_days: 120
image_ingest_overwrite: false
By default, the inventory TTL is set to 120 days. That means, that if an inventory agent hasn’t seen a container or its related metadata (including the container image) in its configured contexts for more than 4 months, it will be removed from the active inventory set (no longer returned from GET /v2/inventories).
This behavior can be disabled by setting runtime_inventory.image_ttl_days to zero, in which case the runtime inventory will be kept indefinitely.
Alternatively, runtime_inventory.image_ingest_overwrite can be set to true to remove outdated inventory during each inventory sync. This mode will only remove inventory items that the system can be sure are no longer present. That is, it will only remove pods and containers from the namespaces provided in the latest inventory report. To remove items from deleted namespaces runtime_inventory.image_ttl_days also needs to be configured. This value should be configured to be long enough that inventory isn’t incorrectly removed in case of an outage from the reporting agent. The exact value depends on each deployment, but 7 days is a reasonable value here.
Deleting Inventory via API
Where it is not desirable to wait for the Image TTL to remove runtime inventory images it is possible to manually delete inventory items via the API by issuing a DELETE to /v2/inventories with the following query parameters.
inventory_type(required) - eitherecsorkubernetescontext(required) - it must match a context as seen by the output ofanchorectl inventory list- Kubernetes - this is a combination of cluster name (as defined by the anchore-k8s-inventory config) and a namespace containing running containers e.g.
cluster1/default. - ECS - this is the cluster ARN e.g.
arn:aws:ecs:eu-west-2:123456789012:cluster/myclustername
- Kubernetes - this is a combination of cluster name (as defined by the anchore-k8s-inventory config) and a namespace containing running containers e.g.
image_digest(optional) - set if you only want to remove a specific image
e.g. DELETE /v2/inventories?inventory_type=<string>&context=<string>&image_digest=<string>
Using curl: curl -X DELETE -u username:password "http://{servername:port}/v2/inventories?inventory_type=&context=&image_digest=