To upgrade the Anchore Package📜
Check the upstream release notes and the helm chart upgrade notes.
Upgrading📜
Find the latest enterprise chart version that corresponds with the Anchore Enterprise version identified by Renovate.
Update the chart with KPT
kpt pkg update chart@enterprise-${chart.version} --strategy alpha-git-patch
Modifications made to upstream📜
Review the list of Big Bang Changes to this chart and ensure they weren’t overwritten in the update.
automountServiceAccountToken📜
The mutating Kyverno policy named update-automountserviceaccounttokens
is leveraged to harden all ServiceAccounts in this package with automountServiceAccountToken: false
. This policy is configured by namespace in the Big Bang umbrella chart repository at chart/templates/kyverno-policies/values.yaml.
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the pods:
array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.
Testing New Anchore Version📜
Deploy Anchore as part of Big Bang📜
- Obtain the Big Bang dev Anchore enterprise license by following the below instructions:
- Clone the dogfood repo if you have not already, from https://repo1.dso.mil/big-bang/team/deployments/bigbang.git
- Run
sops -d bigbang/prod/environment-bb-secret.enc.yaml | yq '.stringData."values.yaml"' | yq '.addons.anchore.enterprise.licenseYaml'
to get the full license contents. - Add the full output from that command under
licenseYaml
in your override values (shown below), making sure that indentation is properly preserved
overrides/anchore.yaml
addons:
anchore:
enabled: true
git:
tag: Null
branch: "renovate/anchore"
adminPassword: "foobar"
enterprise:
enabled: true
licenseYaml: |
$LICENSE_CONTENT
sso:
enabled: true
client_id: "platform1_a8604cc9-f5e9-4656-802d-d05624370245_bb8-anchore"
values:
anchoreAnalyzer:
replicaCount: 2
helm upgrade -i bigbang ./bigbang/chart --create-namespace -n bigbang -f ./bigbang/chart/ingress-certs.yaml -f ./overrides/registry-values.yaml -f ./overrides/anchore.yaml
kiali
, kyverno
, promtail
, loki
, neuvector
, tempo
, and/or monitoring
in the deployment, if desired, as they are not required for testing.
- [ ] Visit
https://anchore.bigbang.dev
- [ ] Confirm ability to login with Keycloak (SSO)
- [ ] Provide your P1 SSO credentials and confirm successful login.
- [ ] Logout, then log in with the username and password. Login as ‘admin’ using the password specified in the overrides file
- [ ] Confirm the intended version and review the release notes by selecting the version number in the upper left. Ensure there are no important or breaking changes that need to be addressed
- [ ] Navigate to
Images
and selectAnalyze Tag
to add a new tag for analysis. - [ ] Populate the fields with a registry/image/tag of your choosing, or by using the example information.
- [ ] Allow several minutes for the analysis to complete.
- [ ] Select the repository name of your new tag, confirm
Status
isAnalyzed
- [ ] Select the tag SHA and confirm
Metadata
,Policy Compliance
, andAction Workbench
have all been Analyzed. (Vulnerabilities
will be marked unsuccessful, with a red ‘X,’ this is expected.)