Using the Red Hat Quay Container Security Operator, you can access vulnerability scan results from the OKD web console for container images used in active pods on the cluster. The Red Hat Quay Container Security Operator:

  • Watches containers associated with pods on all or specified namespaces

  • Queries the container registry where the containers came from for vulnerability information, provided an image’s registry is running image scanning (such as Quay.io or a Red Hat Quay registry with Clair scanning)

  • Exposes vulnerabilities via the ImageManifestVuln object in the Kubernetes API

Using the instructions here, the Red Hat Quay Container Security Operator is installed in the openshift-operators namespace, so it is available to all namespaces on your OKD cluster.

Running the Red Hat Quay Container Security Operator

You can start the Red Hat Quay Container Security Operator from the OKD web console by selecting and installing that Operator from the Operator Hub, as described here.

  • Have administrator privileges to the OKD cluster

  • Have containers that come from a Red Hat Quay or Quay.io registry running on your cluster

  1. Navigate to OperatorsOperatorHub and select Security.

  2. Select the Container Security Operator, then select Install to go to the Create Operator Subscription page.

  3. Check the settings. All namespaces and automatic approval strategy are selected, by default.

  4. Select Install. The Container Security Operator appears after a few moments on the Installed Operators screen.

  5. Optional: You can add custom certificates to the Red Hat Quay Container Security Operator. In this example, create a certificate named quay.crt in the current directory. Then run the following command to add the cert to the Red Hat Quay Container Security Operator:

    $ oc create secret generic container-security-operator-extra-certs --from-file=quay.crt -n openshift-operators
  6. If you added a custom certificate, restart the Operator pod for the new certs to take effect.

  7. Open the OpenShift Dashboard (HomeOverview). A link to Quay Image Security appears under the status section, with a listing of the number of vulnerabilities found so far. Select the link to see a Quay Image Security breakdown, as shown in the following figure:

    Access image scanning data from OKD dashboard

  8. You can do one of two things at this point to follow up on any detected vulnerabilities:

    • Select the link to the vulnerability. You are taken to the container registry that the container came from, where you can see information about the vulnerability. The following figure shows an example of detected vulnerabilities from a Quay.io registry: