IK.AM

@making's tech note

Exclude Source Scanner from source-test-scan-to-url Supply Chain in Tanzu Application Platform

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Kubernetes 🏷 Cartographer 🏷 Grype 🏷 Tanzu 🏷 TAP 🏷 ytt 
🗓 Updated at 2022-12-16T05:12:51Z  🗓 Created at 2022-12-16T04:31:11Z   🇯🇵 Original entry

⚠️ The content of this article is not supported by VMware. Any issues arising from the content of this article are your responsibility and please do not contact VMware Support.

How to exclude Source Scanner using ytt overlay when Image Scanner is sufficient for vulnerability scanning in source-test-scan-to-url Supply Chain and Source Scanner is unnecessary


Create an overlay

cat <<EOF > ootb-supply-chain-testing-scanning-remove-source-scanner.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
---
spec:
  resources:
  #@overlay/match by="name"
  #@overlay/remove
  - name: source-scanner
  #@overlay/match by="name"
  - name: image-provider
    sources:
    #@overlay/match by="name"
    - name: source
      resource: source-tester
EOF

Register the overlay as a Secret. The following should be done for Build Cluster in case of Multi Cluster topology.

kubectl -n tap-install create secret generic ootb-supply-chain-testing-scanning-remove-source-scanner \
  -o yaml \
  --dry-run=client \
  --from-file=ootb-supply-chain-testing-scanning-remove-source-scanner.yaml \
  | kubectl apply -f-

Set the Secret name of the created overlay above to package_overlays in tap-values.yaml as follows.

package_overlays:
# ...
- name: ootb-supply-chain-testing-scanning
  secrets:
  - name: ootb-supply-chain-testing-scanning-remove-source-scanner 
  # ...

Update the packageinstall

tanzu package installed update -n tap-install tap -f tap-values.yaml

Before image

After image

✒️️ Edit  ⏰ History  🗑 Delete