Merge pull request #108 from philips/add-k8s-contrib

README: add instructions for kubernetes
8 years ago · 6883cb9b01
parent aef5f9dde4 9ce0956f1a
commit 6883cb9b01
3 changed files with 175 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -46,9 +46,25 @@ Clair detects some vulnerabilities and sends a webhook to your continuous deploy
 During the first run, Clair will bootstrap its database with vulnerability data from its data sources.
 It can take several minutes before the database has been fully populated.

+**NOTE:** These setups are not meant for production workloads, but as a quick way to get started.
+
+### Kubernetes
+
+An easy way to run Clair is with Kubernetes.
+If you are using the [CoreOS Kubernetes single-node instructions][single-node] for vagrant you will be able to access Clair at http://172.17.4.99:30061/ after following these instructions.
+
+```
+git clone https://github.com/coreos/clair
+cd clair/contrib/k8s
+kubectl create -f clair-kubernetes.yaml
+kubectl create secret generic clairsecret --from-file=./config.yaml
+```
+
+[single-node]: https://coreos.com/kubernetes/docs/latest/kubernetes-on-vagrant-single.html
+
 ### Docker Compose

-The easiest way to get an instance of Clair running is to use Docker Compose to run everything locally.
+Another easy way to get an instance of Clair running is to use Docker Compose to run everything locally.
 This runs a PostgreSQL database insecurely and locally in a container.
 This method should only be used for testing.

--- a/contrib/k8s/clair-kubernetes.yaml
+++ b/contrib/k8s/clair-kubernetes.yaml
@ -0,0 +1,84 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: clairsvc
+  labels:
+    app: clair
+spec:
+  type: NodePort
+  ports:
+  - port: 6060
+    protocol: TCP
+    nodePort: 30060
+    name: clair-port0
+  - port: 6061
+    protocol: TCP
+    nodePort: 30061
+    name: clair-port1
+  selector:
+    app: clair
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: clair
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: clair
+    spec:
+      volumes:
+      - name: secret-volume
+        secret:
+          secretName: clairsecret
+      containers:
+      - name: clair
+        image: quay.io/coreos/clair
+        args:
+          - "-config"
+          - "/config/config.yaml"
+        ports:
+        - containerPort: 6060
+        - containerPort: 6061
+        volumeMounts:
+        - mountPath: /config
+          name: secret-volume
+---
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  labels:
+    app: postgres
+  name: clair-postgres
+spec:
+  replicas: 1
+  selector:
+    app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+      - image: postgres:latest
+        name: postgres
+        env:
+        - name: POSTGRES_PASSWORD
+          value: password
+        ports:
+        - containerPort: 5432
+          name: postgres-port
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: postgres
+  name: postgres
+spec:
+  ports:
+    - port: 5432
+  selector:
+    app: postgres
--- a/contrib/k8s/config.yaml
+++ b/contrib/k8s/config.yaml
@ -0,0 +1,74 @@
+# Copyright 2015 clair authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The values specified here are the default values that Clair uses if no configuration file is specified or if the keys are not defined.
+clair:
+  database:
+    # PostgreSQL Connection string
+    # http://www.postgresql.org/docs/9.4/static/libpq-connect.html
+    source: postgres://postgres:password@postgres:5432/postgres?sslmode=disable
+
+    # Number of elements kept in the cache
+    # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database.
+    cacheSize: 16384
+
+  api:
+    # API server port
+    port: 6060
+
+    # Health server port
+    # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server.
+    healthport: 6061
+
+    # Deadline before an API request will respond with a 503
+    timeout: 900s
+
+    # 32-bit URL-safe base64 key used to encrypt pagination tokens
+    # If one is not provided, it will be generated.
+    # Multiple clair instances in the same cluster need the same value.
+    paginationKey:
+
+    # Optional PKI configuration
+    # If you want to easily generate client certificates and CAs, try the following projects:
+    # https://github.com/coreos/etcd-ca
+    # https://github.com/cloudflare/cfssl
+    servername:
+    cafile:
+    keyfile:
+    certfile:
+
+  updater:
+    # Frequency the database will be updated with vulnerabilities from the default data sources
+    # The value 0 disables the updater entirely.
+    interval: 2h
+
+  notifier:
+    # Number of attempts before the notification is marked as failed to be sent
+    attempts: 3
+
+    # Duration before a failed notification is retried
+    renotifyInterval: 2h
+
+    http:
+      # Optional endpoint that will receive notifications via POST requests
+      endpoint:
+
+      # Optional PKI configuration
+      # If you want to easily generate client certificates and CAs, try the following projects:
+      # https://github.com/cloudflare/cfssl
+      # https://github.com/coreos/etcd-ca
+      servername:
+      cafile:
+      keyfile:
+      certfile: