Anchore Engine Helm Chart
This chart deploys the Anchore Engine docker container image analysis system. Anchore Engine requires a PostgreSQL database (>=9.6) which may be handled by the chart or supplied externally, and executes in a service based architecture utilizing the following Anchore Engine services: External API, Simplequeue, Catalog, Policy Engine, and Analyzer.
This chart can also be used to install the following Anchore Enterprise services: GUI, RBAC, On-prem Feeds. Enterprise services require a valid Anchore Enterprise License as well as credentials with access to the private dockerhub repository hosting the images. These are not enabled by default.
Each of these services can be scaled and configured independently.
See Anchore Engine for more project details.
The chart is split into global and service specific configurations for the OSS Anchore Engine, as well as global and services specific configurations for the Enterprise components.
anchoreGlobalsection is for configuration values required by all Anchore Engine components.
anchoreEnterpriseGlobalsection is for configuration values required by all Anchore Engine Enterprise components.
- Service specific configuration values allow customization for each individual service.
For a description of each component, view the official documentation at: Anchore Enterprise Service Overview
Installing the Anchore Engine OSS Chart
helm install stable/anchore-engine
Anchore Engine will take approximately 3 minutes to bootstrap. After the initial bootstrap period, Anchore Engine will begin a vulnerability feed sync. During this time, image analysis will show zero vulnerabilities until the sync is completed. This sync can take multiple hours depending on which feeds are enabled. The following anchore-cli command is available to poll the system and report back when the engine is bootstrapped and the vulnerability feeds are all synced up.
anchore-cli system wait
The recommended way to install the Anchore Engine Chart is with a customized values file and a custom release name. Create a new file named
anchore_values.yaml and add all desired custom values (examples below); then run the following command:
helm install --name <release_name> -f anchore_values.yaml stable/anchore-engine
Note: It is highly recommended to set non-default passwords when deploying. All passwords are set to defaults specified in the chart.
Install using chart managed PostgreSQL service with custom passwords.
## anchore_values.yaml postgresql: postgresPassword: <PASSWORD> persistence: size: 50Gi anchoreGlobal: defaultAdminPassword: <PASSWORD> defaultAdminEmail: <EMAIL>
Upgrading to Chart version 0.10.0
Ingress resources have been changed to work natively with NGINX ingress controllers. If you're using a different ingress controller, update your values.yaml file accordingly. See the Using Ingress configuration section for examples of NGINX & GCE ingress controller configurations.
Service configs have been moved from the anchoreGlobal section, to individual component sections in the values.yaml file. If you're upgrading from a previous install and are using custom ports or serviceTypes, be sure to update your values.yaml file accordingly.
v0.9.0 service config
anchoreGlobal: service: type: ClusterIP apiPort: 8228
v0.10.0 service config
anchoreApi: service: type: ClusterIP port: 8228
Upgrading to Chart version 0.9.0
Version 0.9.0 of the anchore-engine helm chart includes major changes to the architecture, values.yaml file, as well as introduced Anchore Enterprise components. Due to these changes, it is highly recommended that upgrades are handled with caution. Any custom values.yaml files will also need to be adjusted to match the new structure. Version upgrades have only been validated when upgrading from 0.2.6 -> 0.9.0.
helm upgrade <release_name> stable/anchore-engine
When upgrading the Chart from version 0.2.6 to version 0.9.0, it will take approximately 5 minutes for anchore-engine to upgrade the database.
To ensure that the upgrade has completed, run the
anchore-cli system status command and verify the engine & db versions match the output below.
Engine DB Version: 0.0.8 Engine Code Version: 0.3.0
All configurations should be appended to your custom
anchore_values.yaml file and utilized when installing the chart.
While the configuration options of Anchore Engine are extensive, the options provided by the chart are:
Exposing the service outside the cluster:
This configuration allows SSL termination at the LB.
Note: Ingress controllers can use custom hosts or paths for routing requests. Custom paths or hosts should be set in the corresponding component configuration - anchoreEnterpriseUI.ingress or anchoreApi.ingress
NGINX Ingress Controller
anchoreGlobal: ingress: enabled: true
GCE Ingress Controller
anchoreGlobal: ingress: enabled: true annotations: null anchoreApi: ingress: path: /v1/* service: type: NodePort anchoreEnterpriseUi: ingress: path: /* service type: NodePort
Using Service Type
anchoreApi: service: type: LoadBalancer
Install using an existing/external PostgreSQL instance
Note: it is recommended to use an external Postgresql instance for production installs
postgresql: postgresPassword: <PASSWORD> postgresUser: <USER> postgresDatabase: <DATABASE> enabled: false externalEndpoint: <HOSTNAME:5432> anchoreGlobal: dbConfig: ssl: true
Note: it is recommended to use an external archive driver for production installs.
The archive subsystem of Anchore Engine is what stores large json documents and can consume quite a lot of storage if you analyze a lot of images. A general rule for storage provisioning is 10MB per image analyzed, so with thousands of analyzed images, you may need many gigabytes of storage. The Archive drivers now support other backends than just postgresql, so you can leverage external and scalable storage systems and keep the postgresql storage usage to a much lower level.
The archive system has compression available to help reduce size of objects and storage consumed in exchange for slightly slower performance and more cpu usage. There are two config values:
To toggle on/off (default is True), and set a minimum size for compression to be used (to avoid compressing things too small to be of much benefit, the default is 100):
anchoreCatalog: archive: compression: enabled=True min_size_kbytes=100
The supported archive drivers are:
- S3 - Any AWS s3-api compatible system (e.g. minio, scality, etc)
- OpenStack Swift
- Local FS - A local filesystem on the core pod. Does not handle sharding or replication, so generally only for testing.
- DB - the default postgresql backend
anchoreCatalog: archive: storage_driver: name: 's3' config: access_key: 'MY_ACCESS_KEY' secret_key: 'MY_SECRET_KEY' #iamauto: True url: 'https://S3-end-point.example.com' region: null bucket: 'anchorearchive' create_bucket: True compression: ... # Compression config here
The swift configuration is basically a pass-thru to the underlying pythonswiftclient so it can take quite a few different options depending on your swift deployment and config. The best way to configure the swift driver is by using a custom values.yaml
The Swift driver supports three authentication methods:
- Keystone V3
- Keystone V2
- Legacy (username / password)
anchoreCatalog: archive: storage_driver: name: swift config: auth_version: '3' os_username: 'myusername' os_password: 'mypassword' os_project_name: myproject os_project_domain_name: example.com os_auth_url: 'foo.example.com:8000/auth/etc' container: 'anchorearchive' # Optionally create_container: True compression: ... # Compression config here
anchoreCatalog: archive: storage_driver: name: swift config: auth_version: '2' os_username: 'myusername' os_password: 'mypassword' os_tenant_name: 'mytenant' os_auth_url: 'foo.example.com:8000/auth/etc' container: 'anchorearchive' # Optionally create_container: True compression: ... # Compression config here
anchoreCatalog: archive: storage_driver: name: swift config: user: 'user:password' auth: 'http://swift.example.com:8080/auth/v1.0' key: 'anchore' container: 'anchorearchive' # Optionally create_container: True compression: ... # Compression config here
This is the default archive driver and requires no additional configuration.
Anchore Engine supports exporting prometheus metrics form each container. To enable metrics:
anchoreGlobal: enableMetrics: True
When enabled, each service provides the metrics over the existing service port so your prometheus deployment will need to know about each pod and the ports it provides to scrape the metrics.
Anchore Engine in v0.2.3 introduces a new events subsystem that exposes system-wide events via both a REST api as well as via webhooks. The webhooks support filtering to ensure only certain event classes result in webhook calls to help limit the volume of calls if you desire. Events, and all webhooks, are emitted from the core components, so configuration is done in the coreConfig.
To configure the events:
anchoreCatalog: events: notification: enabled:true level=error
Scaling Individual Components
As of Chart version 0.9.0, all services can now be scaled-out by increasing the replica counts. The chart now supports this configuration.
To set a specific number of service containers:
anchoreAnalyzer: replicaCount: 5 anchorePolicyEngine: replicaCount: 3
To update the number in a running configuration:
helm upgrade --set anchoreAnalyzer.replicaCount=2 <releasename> stable/anchore-engine -f anchore_values.yaml
Adding Enterprise Components
The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the enterprise features. Anchore Enterprise Demo
* Role based access control * Graphical User Interface * On-prem feeds service * Snyk vulnerability data
Enabling Enterprise Services
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to the private docker repositories that contain the enterprise images.
To use this Helm chart with the enterprise services enabled, perform these steps.
Create a kubernetes secret containing your license file.
kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>
Create a kubernetes secret containing dockerhub credentials with access to the private anchore enterprise repositories.
kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>
Install the helm chart using a custom anchore_values.yaml file (see examples below)
helm install --name <release_name> -f /path/to/anchore_values.yaml stable/anchore-engine
Example anchore_values.yaml file for installing Anchore Enterprise
Note: This installs with chart managed PostgreSQL & Redis databases. This is not a production ready config.
## anchore_values.yaml postgresql: postgresPassword: <PASSWORD> persistence: size: 50Gi anchoreGlobal: defaultAdminPassword: <PASSWORD> defaultAdminEmail: <EMAIL> enableMetrics: True anchoreEnterpriseGlobal: enabled: True anchore-feeds-db: postgresPassword: <PASSWORD> anchore-ui-redis: password: <PASSWORD>