diff --git a/docs/Affinity.md b/docs/Affinity.md index a2c731f9cbdf10d7d5dc423ec41bf94fca91627e..7603151313b588dd35ca4e8723ca80ed0eacdaa5 100644 --- a/docs/Affinity.md +++ b/docs/Affinity.md @@ -1,8 +1,8 @@ # Node Affinity & Anti-Affinity with Anchore -Affinity is exposed through values options for Anchore. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this. +Affinity is exposed through values options for Anchore. If you want to schedule your pods to deploy on specific nodes you can do that through the `nodeSelector` value and as needed the `affinity` value. Additional info is provided below as well to help in configuring this. -It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walkthrough of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). +It is good to have a basic knowledge of node affinity and available options to you before customizing in this way - the upstream kubernetes documentation [has a good walk-through of this](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). ## Values for NodeSelector @@ -84,4 +84,4 @@ anchoreEnterpriseUi: anchoreEnterpriseEngineUpgradeJob: nodeSelector: {} affinity: {} -``` \ No newline at end of file +``` diff --git a/docs/BBCHANGES.md b/docs/BBCHANGES.md index 71e342b49bdcc02e19cff9c91d082589740d9f2e..7f2c004936fd54d0a3dabdece4f47f209be460c2 100644 --- a/docs/BBCHANGES.md +++ b/docs/BBCHANGES.md @@ -1,7 +1,7 @@ # Changes needed for Big Bang and Ironbank Images Due to how Big Bang is making use of Anchore (from within Umbrella) there were values and chart changes that needed to be made. -Additionally, the Ironbank images function in slightly different ways than upstream Dockerhub images, so additional +Additionally, the Ironbank images function in slightly different ways than upstream Dockerhub images, so additional modifications were made to support their use. This provides a log of these changes to make updates from upstream faster. @@ -141,6 +141,7 @@ anchoreEnterpriseRbac: ## Other Modifications To support the BigBang wrapper to simplify SSO setup the following global saml option needs to bet set: + ```yaml anchoreGlobal: saml: @@ -148,6 +149,7 @@ anchoreGlobal: ``` The following block needs to be added to the end of the _helpers.tpl file: + ```yaml {{/* Expand the name of the chart. @@ -176,6 +178,7 @@ tls.key: {{ $cert.Key | b64enc }} ``` In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such: + ```yaml metrics: enabled: {{ .Values.monitoring.enabled }} @@ -183,6 +186,7 @@ In `chart/templates/engine_configmap.yaml`, modify the metrics lines as such: ``` Do the same in `chart/templates/enterprise_configmap.yaml`: + ```yaml metrics: enabled: {{ .Values.monitoring.enabled }} @@ -190,6 +194,7 @@ Do the same in `chart/templates/enterprise_configmap.yaml`: ``` In `chart/templates/enterprise_feeds_configmap.yaml` also modify the metrics lines: + ```yaml metrics: enabled: {{ .Values.monitoring.enabled }} diff --git a/docs/CHART.md b/docs/CHART.md index 798e2dc9e568d29f6b1670123a54035a93a072ec..9b7f267ceb4c6ca4e49c83f36f2a1af8796346fb 100644 --- a/docs/CHART.md +++ b/docs/CHART.md @@ -8,16 +8,16 @@ Each of these services can be scaled and configured independently. See [Anchore Engine](https://github.com/anchore/anchore-engine) for more project details. -NOTE: Big Bang's implementation is designed to be enabled and consumed from within a customer implementation of the Big Bang release. It is fully functional as a standalone Helm install, but Big Bang will enable best integration for Big Bang "extras" and ease of use. +NOTE: Big Bang's implementation is designed to be enabled and consumed from within a customer implementation of the Big Bang release. It is fully functional as a standalone Helm install, but Big Bang will enable best integration for Big Bang "extras" and ease of use. ## Chart Details The chart is split into global and service specific configurations for the OSS Anchore Engine, as well as global and services specific configurations for the Enterprise components. Additionally included are Big Bang specific configs. - * The top section provides customizable Big Bang values for SSO, Istio, and automating the license secret creation for enterprise. - * The `anchoreGlobal` section is for configuration values required by all Anchore Engine components. - * The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Engine Enterprise components. - * Service specific configuration values allow customization for each individual service. +* The top section provides customizable Big Bang values for SSO, Istio, and automating the license secret creation for enterprise. +* The `anchoreGlobal` section is for configuration values required by all Anchore Engine components. +* The `anchoreEnterpriseGlobal` section is for configuration values required by all Anchore Engine Enterprise components. +* Service specific configuration values allow customization for each individual service. For a description of each component, view the official documentation at: [Anchore Enterprise Service Overview](https://docs.anchore.com/current/docs/overview/architecture/) @@ -59,15 +59,15 @@ stringData: The following features are available to Anchore Enterprise customers. Please contact the Anchore team for more information about getting a license for the enterprise features. [Anchore Enterprise Demo](https://anchore.com/demo/) - * Role based access control - * LDAP integration - * Graphical user interface - * Customizable UI dashboards - * On-premises feeds service - * Proprietary vulnerability data feed (vulnDB, MSRC) - * Anchore reporting API - * Notifications - Slack, GitHub, Jira, etc - * Microsoft image vulnerability scanning +* Role based access control +* LDAP integration +* Graphical user interface +* Customizable UI dashboards +* On-premises feeds service +* Proprietary vulnerability data feed (vulnDB, MSRC) +* Anchore reporting API +* Notifications - Slack, GitHub, Jira, etc +* Microsoft image vulnerability scanning ### Enabling Enterprise Services @@ -179,6 +179,7 @@ stringData: ### Configuring Istio Istio can be configured to utilize your desired gateway(s) and host(s). To configure istio, pass the following options to the Anchore values: + ```yaml stringData: values.yaml: |- diff --git a/docs/KEYCLOAK.md b/docs/KEYCLOAK.md index 5b1b3862840c245873b27b812a76f17f75e013ac..ac7458acc081d6dac89c9038535f6a4f8f8ccd35 100644 --- a/docs/KEYCLOAK.md +++ b/docs/KEYCLOAK.md @@ -6,7 +6,7 @@ This document summarizes helm values and manual steps that are required to integ ## Configuration Steps -These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. +These are the items you need to do to configure Keycloak and Anchore for SSO in your Big Bang installation. ### Keycloak Configuration diff --git a/docs/README.md b/docs/README.md index 9e2770418bd14752db94081aa712a5e15ff32954..e5e4afbeab395f47fec80d591f48bca8aeb6e7a7 100644 --- a/docs/README.md +++ b/docs/README.md @@ -10,7 +10,7 @@ This repo contains Big Bang's implementation of Anchore. This includes the upstr - [Chart](./CHART.md) - [Affinity](./Affinity.md) -# Structure +## Structure This repo contains 3 main sections. The main chart is provided under the `chart` folder. Documentation is provided under the `docs` folder. Test and CI files are under the `tests` folder. diff --git a/docs/metrics.md b/docs/metrics.md index 082b8c0b92c6733a20b44bd1bc9b26087c54be77..6dc0c9ab27d30b337ccf983c8039fdf4d35ae29f 100644 --- a/docs/metrics.md +++ b/docs/metrics.md @@ -3,99 +3,126 @@ ## Anchore metrics anchore_db_read_seconds_count + * Duration of the read processes conducted by anchore. anchore_db_read_seconds_created + * Duration of the construction processes for read. anchore_db_read_seconds_sum + * The sum of the duration of all read processes. anchore_db_readwrite_seconds_count + * Duration of the readwrite processes conducted by anchore. anchore_db_readwrite_seconds_created + * Duration of the construction processes for readwrite. anchore-db_readwrite_seconds_sum + * The sum of the durations of all readwrite processes. anchore_db_write_seconds_count + * Duration of the write processes conducted by anchore. anchore_db_write_seconds_created + * Duration of the construction processes for write. anchore_db_write_seconds_sum -* The sum of the duration of all write processes. + +* The sum of the duration of all write processes. anchore_monitor_runtime_seconds_count + * Duration of the runtime monitor processes conducted by anchore. anchore_monitor_runtime_seconds_created + * Duration of the construction processes for runtime monitor. anchore_monitor_runtime_seconds_sum + * The sum of the duration of all monitor process. anchore_queue_length + * Number of images pending analysis. anchore_service_info + * Returns info and status on the 4 services of Anchore. anchore_tmpspace_available_bytes + * Available space in the "tmp_dir" location of each container. process_resident_memory_bytes + * Memory consumed by the instance ### API service prometheus_api_remote_read_queries + * Returns number of queries coming from the remote stream. ### Engine prometheus_engine_queries + * The number of concurrent queries that the engine is reading. prometheus_engine_queries_concurrent_max + * The number of maximum concurrent queries that the engine can read. prometheus_engine_query_duration_seconds_count + * Duration of the query processes conducted by prometheus. prometheus_engine_query_duration_seconds + * Duration of each process - * Differs from prometheus_engine_query_duration_seconds_count as the duration for every process is listed seperatly + * Differs from prometheus_engine_query_duration_seconds_count as the duration for every process is listed seperatly prometheus_engine_query_duration_seconds_sum + * The sum of the duration of all engine query processes. -## Prometheus metric queries +## Prometheus metric queries promhttp_metric_handler_requests_in_flight + * The number of metric requests that are currently being processed. promhttp_metric_handler_requests_total -* The total number of requests made. + +* The total number of requests made. ### Troubleshooting If you encounter an error running a query, see the list below for guidance on resolving errors. -Error executing query: invalid parameter 'query': -* This results whenever a syntax error is thown when a query is parsed. - * Make sure that you have no spaces in your query. - * Make sure certain characters (e.g <>/;) are not inteferring your query. +Error executing query: invalid parameter 'query': + +* This results whenever a syntax error is thrown when a query is parsed. + * Make sure that you have no spaces in your query. + * Make sure certain characters (e.g <>/;) are not interfering your query. parse error: unknown function + * This error occurs when the query database parses a function that is not in the database - * Make sure the function that you are running is part of the database + * Make sure the function that you are running is part of the database No data + * This results when the query is not in the list of available queries - * Make sure your query is among ones that are listed. - * Make sure that that your expression is spelled correctly. - * Make sure the app is integrated correctly \ No newline at end of file + * Make sure your query is among ones that are listed. + * Make sure that that your expression is spelled correctly. + * Make sure the app is integrated correctly diff --git a/docs/overview.md b/docs/overview.md index 88e0f0a4773a324d446734181f010370ffaf8922..d3489a178a2a625789db288175a2164632334a82 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -1,44 +1,43 @@ # Anchore Enterprise Anchore Enterprise provides container inspection and compliance solutions. It protects against internal and external threats, enforces -security best practices, and speed up DevSecOps workflows. Anchore Enterprise integrates seamlessly to enforce defined polices. - +security best practices, and speed up DevSecOps workflows. Anchore Enterprise integrates seamlessly to enforce defined polices. Anchore Enterprises can be installed using the [Helm Chart](https://github.com/anchore/anchore-charts/tree/master/stable/anchore-engine), integrated into container based CI/CD pipeline with a [Jenkins Plugin](https://plugins.jenkins.io/anchore-container-scanner/), and used with the GitLab CI pipelines with the [GitLab integration guide](https://docs.anchore.com/current/docs/using/integration/ci_cd/gitlab/). -### Anchore Software Components +## Anchore Software Components - On-premises Anchore Enterprise - - Web UI - - API - - Notifications - - RBAC - - Reporting - - Worker - - Queue - - Catalog - - CLI - + - Web UI + - API + - Notifications + - RBAC + - Reporting + - Worker + - Queue + - Catalog + - CLI + - On-premises Feed Service - - Enterprise UI - - Anchore CLI - - Jenkins Plugin - - CI Integration - - Enterprise RBAC - - Anchore Engine - -### Quickstart + - Enterprise UI + - Anchore CLI + - Jenkins Plugin + - CI Integration + - Enterprise RBAC + - Anchore Engine + +## Quick Start - [Docker Compose File](https://docs.anchore.com/current/docs/quickstart/docker-compose.yaml) - [Prometheus Configuration for Monitoring](https://docs.anchore.com/current/docs/quickstart/anchore-prometheus.yml) - - [Enabling Prometheuse](https://docs.anchore.com/current/docs/quickstart/#optional-enabling-prometheus-monitoring) + - [Enabling Prometheus](https://docs.anchore.com/current/docs/quickstart/#optional-enabling-prometheus-monitoring) - [Swagger UI Nginx Proxy](https://docs.anchore.com/current/docs/quickstart/anchore-swaggerui-nginx.conf) - [Enabling Swagger](https://docs.anchore.com/current/docs/quickstart/#optional-enabling-swagger-ui) -### More Topics +## More Topics - [Security](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/documentation-standard/docs/security.md) - [Troubleshooting](https://repo1.dso.mil/platform-one/big-bang/apps/security-tools/anchore-enterprise/-/blob/documentation-standard/docs/troubleshooting.md) -Find more information on Anchore Enterprise [here](https://docs.anchore.com/current/docs/overview/). \ No newline at end of file +Find more information on Anchore Enterprise [here](https://docs.anchore.com/current/docs/overview/). diff --git a/docs/security.md b/docs/security.md index 0973d099a33e6753ec0a84b907e8eb378df65604..bfe88eb49ecc0f65eceb890e0c3bef0325c8bdb5 100644 --- a/docs/security.md +++ b/docs/security.md @@ -1,18 +1,17 @@ -# Security +# Security Anchore Enterprise supports user login to the User Interface through identities from external identity providers that support Security Assertion Markup Language (SAML). Anchore does not store any user credentials. However, usernames and anchore permissions are stored. The identity provider validates the user's access while an external provider validates the username and all first time user login information. The Anchore Enterprise deployment must be configured to utilize the SAML SSO. - - It is required to Enable Oauth to ensure that Anchore can issue bearer tokens for subsequent API usage by the UI to the system APIs. -- Hashed passwords are recommended. +- Hashed passwords are recommended. - From the user's browser, reach the Identity Provider's login URL. -- Access the metadata XML endpoint in the Identity Provider. +- Access the metadata XML endpoint in the Identity Provider. Configuration of SAML SSO is done using API/UI operations but requires configuration both in the user's Identity Provider and within Anchore. @@ -21,6 +20,6 @@ The Identity Provider must: - Support HTTP Redirect binding - Support signed assertions and signed documents - Allow unsigned client requests from Anchore -- Allow unencrypted requests and responses +- Allow unencrypted requests and responses -Click the [link](https://docs.anchore.com/current/docs/overview/sso/) for more Anchore security information. \ No newline at end of file +Click the [link](https://docs.anchore.com/current/docs/overview/sso/) for more Anchore security information. diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index b0c779d3e043b0493eeece1345d2f3ce5672eacb..cd6c0559a7ce7bf7c7e4cf5d030e42a63f53f718 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -7,8 +7,4 @@ In this troubleshooting guide, we'll walk through several best-practice techniqu - Explore the event logs - Remove Repositories or Images - For more Anchore Enterprise troubleshooting information click [here](https://docs.anchore.com/current/docs/troubleshooting/). - - -