Deploying Anchore Enterprise on Google Kubernetes Engine (GKE)
Get an understanding of deploying Anchore Enterprise on a Google Kubernetes Engine (GKE) cluster and exposing it on the public Internet.
Note when using Google Cloud, consider utilizing Cloud SQL for PostgreSQL as a managed database service.
Prerequisites
- A running GKE cluster with worker nodes launched. See GKE Documentation for more information on this setup.
- Helm client installed on local host.
- AnchoreCTL installed on local host.
Once you have a GKE cluster up and running with worker nodes launched, you can verify it by using the followiing command.
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
gke-standard-cluster-1-default-pool-c04de8f1-hpk4 Ready <none> 78s v1.13.7-gke.24
gke-standard-cluster-1-default-pool-c04de8f1-m03k Ready <none> 79s v1.13.7-gke.24
gke-standard-cluster-1-default-pool-c04de8f1-mz3q Ready <none> 78s v1.13.7-gke.24
Anchore Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:
- Anchore Enterprise software
- PostgreSQL (13 or higher)
- Redis (4)
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore. The following is intended to cover the minimum required changes to successfully deploy Anchore Enterprise on Google Kubernetes Engine.
Note: For this deployment, a GKE ingress controller will be used. You can read more about Kubernetes Ingress with a GKE Ingress Controller here
Configurations
Make the following changes below to your anchore_values.yaml
Ingress
ingress:
enabled: true
apiPaths:
- /v2/*
uiPath: /*
Note: Configuring ingress is optional. It is used throughout this guide to expose the Anchore deployment on the public internet.
Anchore API Service
api:
replicaCount: 1
# kubernetes service configuration for anchore external API
service:
type: NodePort
port: 8228
annotations: {}
Note: Changed the service type to NodePort
Anchore Enterprise UI
ui:
# kubernetes service configuration for anchore UI
service:
type: NodePort
port: 80
annotations: {}
sessionAffinity: ClientIP
Note: Changed service type to NodePort.
Anchore Enterprise Deployment
Create Secrets
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.
Create a Kubernetes secret containing your license file:
kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>
Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise software:
kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>
Deploy Anchore Enterprise:
helm repo add anchore https://charts.anchore.io
helm install anchore anchore/enterprise -f anchore_values.yaml
It will take the system several minutes to bootstrap. You can checks on the status of the pods by running kubectl get pods:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs 1/1 Running 0 13m
anchore-enterprise-api-754cdb48bc-x8kxt 3/3 Running 0 13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb 1/1 Running 0 13m
anchore-enterprise-notifications-65bd45459f-q28h2 2/2 Running 0 13m
anchore-enterprise-policy-657fdfd7f6-gzkmh 1/1 Running 0 13m
anchore-enterprise-reports-596cb47894-q8g49 1/1 Running 0 13m
anchore-enterprise-simplequeue-98b95f985-5xqcv 1/1 Running 0 13m
anchore-enterprise-ui-6794bbd47-vxljt 1/1 Running 0 13m
anchore-feeds-77b8976c4c-rs8h2 1/1 Running 0 13m
anchore-feeds-db-0 1/1 Running 0 13m
anchore-postgresql-0 1/1 Running 0 13m
anchore-ui-redis-master-0 1/1 Running 0 13m
Run the following command for details on the deployed ingress resource:
$ kubectl describe ingress
Name: anchore-enterprise
Namespace: default
Address: 34.96.64.148
Default backend: default-http-backend:80 (10.8.2.6:8080)
Rules:
Host Path Backends
---- ---- --------
*
/v2/* anchore-enterprise-api:8228 (<none>)
/* anchore-enterprise-ui:80 (<none>)
Annotations:
kubernetes.io/ingress.class: gce
ingress.kubernetes.io/backends: {"k8s-be-31175--55c0399dc5755377":"HEALTHY","k8s-be-31274--55c0399dc5755377":"HEALTHY","k8s-be-32037--55c0399dc5755377":"HEALTHY"}
ingress.kubernetes.io/forwarding-rule: k8s-fw-default-anchore-enterprise--55c0399dc5750
ingress.kubernetes.io/target-proxy: k8s-tp-default-anchore-enterprise--55c0399dc5750
ingress.kubernetes.io/url-map: k8s-um-default-anchore-enterprise--55c0399dc5750
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ADD 15m loadbalancer-controller default/anchore-enterprise
Normal CREATE 14m loadbalancer-controller ip: 34.96.64.148
The output above shows that an Load Balancer has been created. Navigate to the specified URL in a browser:
Anchore System
Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:
Note: Read more on Deploying AnchoreCTL
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
Anchore Feeds
It can take some time to fetch all of the vulnerability feeds from the upstream data sources. Check on the status of feeds with Anchore CTL:
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list
Note: It is not uncommon for the above command to return a: [] as the initial feed sync occurs.
Once the vulnerability feed sync is complete, Anchore can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.
Last modified April 4, 2024