+++
title = "Module 5: Vulnerability management"
chapter = false
weight = 16
+++

>**Estimated time:** 15 min

## Learning objectives

Manage discovered vulnerabilities of applications deployed into the cluster.

## Steps

1. Download `tigera-scanner` binary.

    >Refer to the [Image Assurance](https://docs.tigera.io/calico-cloud/image-assurance/) docs for the most recent information.

    [Follow the docs](https://docs.tigera.io/calico-cloud/image-assurance/scan-image-registries#start-the-cli-scanner) to download `tigera-scanner` binary to run scan application images.

    >Note that the scanner version in the command below maybe outdated as the scanner binary is often updated with each release of Calico Cloud. Follow the docs to get the most recent `tigera-scanner` binary.

    ```bash
    curl -Lo tigera-scanner https://installer.calicocloud.io/tigera-scanner/v3.16.1-11/image-assurance-scanner-cli-linux-amd64
    chmod +x ./tigera-scanner
    ./tigera-scanner version
    ```

2. Scan application images.

    a. Retrieve `API URL` and `Token` values by navigating at **Image Assurance** > **Access Settings** in the Calico Cloud UI.

    b. Scan application images.

    >In order to scan an image, you need to pull it down first and then scan.

    ```bash
    # set vars
    API_URL='https://<my-org>.calicocloud.io'
    TOKEN='<replace_with_token_value>'

    # pull image locally
    docker pull gcr.io/google-samples/microservices-demo/frontend:v0.3.8

    # scan images
    ./tigera-scanner scan gcr.io/google-samples/microservices-demo/frontend:v0.3.8 --fail_threshold 7.0 --warn_threshold 3.9 --apiurl $API_URL --token $TOKEN
    ```

    Navigate to **Image Assurance** > **Scan Results** in the Calico Cloud UI and review scan results.

3. Configure image assurance admission controller.

    >Image assurance admission controller is used to enforce the policies that determine which images are allowed to be deployed into the cluster. The `tigera-admission-controller.yaml` manifest is configured to look for namespaces containing `tigera-admission-controller: enforcing` label to enforce container admission.

    a. Add `tigera-admission-controller: enforcing` label to the `default` namespace.

    ```bash
    kubectl label namespace default tigera-admission-controller=enforcing
    ```

    b. Deploy the admission controller.

    >See [image assurance](https://docs.tigera.io/calico-cloud/image-assurance/install-the-admission-controller#install-the-admission-controller) docs to get the most recent version.

    >NOTE: if your workstation has OpenSSL of version 1.0.2 or any other version that doesn't contain `-addext` flag, update OpenSSL to version 1.1.x or newer and make sure  that `openssl` executable invokes new version of OpenSSL. 
    On Amazon Linux 2 you can do it with this line: `sudo yum install -y openssl11 && sudo ln -s /usr/bin/openssl11 /usr/bin/openssl`

    ```bash
    # get most recent versions and adjust these vars
    IA_VERSION='v3.16.1-11'
    IA_AC_VERSION='v1.7.3'

    # generate certificates
    curl https://installer.calicocloud.io/manifests/${IA_VERSION}/manifests/generate-open-ssl-key-cert-pair.sh | bash

    # deploy admission controller
    sed -e "s/BASE64_CERTIFICATE/$(printf '%q' `base64 < admission_controller_cert.pem`)/g" -e "s/BASE64_KEY/$(printf '%q' `base64 < admission_controller_key.pem`)/g" -e "s/IA_AC_VERSION/$IA_AC_VERSION/g" demo/80-image-assurance/tigera-image-assurance-admission-controller-deploy.yaml | kubectl apply -f-
    ```

4. Configure container admission policy.

    Deploy a container admission policy that only allows deployment of images that have `Pass` or `Warn` status.

    ```bash
    kubectl apply -f demo/80-image-assurance/tigera-image-assurance-admission-controller-policy.yaml
    ```

    To test the policy enforcement, first delete and then redeploy the boutiqueshop application stack since the admission controller can only enforce container deployment when it gets created in the cluster.

    >Note that the `reject-failed` container admission policy is configured to only allow images that have defined scanning status of `Pass` or `Warn`. If an image for any application component hasn't been scanned yet, its status will be `Unknown`. If you don't want to scan all images for the boutiqueshop stack, you can edit the admission policy to also allow images with the `Unknown` status.

    ```bash
    # delete app stack
    kubectl delete -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/release/v0.3.8/release/kubernetes-manifests.yaml

    # deploy app stack
    kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/release/v0.3.8/release/kubernetes-manifests.yaml
    ```