Deploy on Kubernetes with Kustomize¶
Kustomize and Kubectl
kubectl starting version 1.14 already comes with Kustomize 2.0.3 bundled. As of now Kustomize 3.1.0 is not supported by
kubectl so it will also not be supported by Eclipse Steady
- a Kubernetes cluster
vulnerability-assessment-tool repository and change the directory to Kustomize's folder
git clone https://github.com/eclipse/steady.git cd steady/kubernetes/kustomize
Make a copy of the files in
kubernetes/kustomize/secrets and edit them to match your needs.
cp secrets/.env.sample secrets/.env cp secrets/bugs-frontend-credentials.sample secrets/bugs-frontend-credentials # edit the above files
You are now ready to deploy Eclipse Steady inside your Kubernetes cluster:
kubectl apply -k .
The above command will create a
vulnerability-assessment-tool and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command
kubectl -n vulnerability-assessment-tool get pods -w. The deployment will request two
PersistentVolumeClaims and a
Service type:LoadBalancer which could need some time to be created depending on the provider you are running on.
Reaching Eclipse Steady from the Internet
Eclipse Steady uses a
Service of type
LoadBalancer to allow Internet traffic to reach the cluster. This
Service will request an external
LoadBalancer to your provider and will connect to it. This
LoadBalancer will be exposed on the Internet so be careful. The
Service type:LoadBalancer should work with most providers such as GKE, Azure. If not, you can follow this ingress-nginx guide
Debugging Eclipse Steady from the local network
You can avoid listening to the Internet by disabling the
Service present in the
services/cloud.yml file. To disable the file you can just comment the relative line in the root-level
kustomization.yaml file. You can then connect to the main
port-forwarding with the command
kubectl -n vulnerability-assessment-tool port-forward svc/haproxy-ingress 7000:8080 and then opening your browser at
Populate/maintain the vulnerability database¶
In order for the tool to detect vulnerabilities, you need to import and analyze them first so that they are available in the tool's vulnerability database. Large part of CVE's and bugs are open sourced in vulnerability-assessment-kb.
Follow the instructions mentioned here, to import and build all the vulnerabilities' knowledge.
- Import all the CVEs and bugs in your local database
- Setup your workspace (if you don't have one)
- Become familiar with the various analysis goals (first time users)
- Analyze your Java or Python application (on a regular basis)
- Assess findings using the apps Web frontend (following every analysis)