I posted a couple of weeks ago in the general section of the Hub about how I leveraged Keycloack to setup authentication into my Kasten backup setup. However, what if my Keycloak is not secure. First off we would want to check if there are any vulnerabilities with the containers. For that I will use Trivy.
The installation instructions can be found here https://aquasecurity.github.io/trivy/v0.18.3/installation/
I am using ubuntu so I did the following:
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Now I need to get the name of my container, I am using alias k=kubectl so only need to type k get and then can just type po instead of pods:
k get po
Next what is the exact image and version:
k get po -oyaml |grep -w image
Lets plug this into trivy and see what comes out, first for CRITICAL then for HIGH vulnerabilities:
trivy image quay.io/keycloak/keycloak:14.0.0 |grep -w CRITICAL
Ok, this could be a problem there are 4 Critical vulnerabilities
ober@kube1:~$ trivy image quay.io/keycloak/keycloak:14.0.0 |grep -w HIGH
3 High vulnerabilities as well
You can also filter the output of the command directly:
trivy image --severity HIGH,CRITICAL image-name:tag
Lets head over to the Keycloak website and check what is the current version:
Might be time to upgrade.
