IK.AM


Dev > CaaS > Kubernetes > TAP

Exclude Source Scanner from source-test-scan-to-url Supply Chain in Tanzu Application Platform

Created on Fri Dec 16 2022 • Last Updated on Fri Dec 16 2022N/A Views

🏷️ Kubernetes | Cartographer | Grype | Tanzu | TAP | ytt

How to exclude Source Scanner using ytt overlay when Image Scanner is sufficient for vulnerability scanning in source-test-scan-to-url Supply Chain and Source Scanner is unnecessary


Create an overlay

cat <<EOF > ootb-supply-chain-testing-scanning-remove-source-scanner.yaml
#@ load("@ytt:overlay", "overlay")
#@overlay/match by=overlay.subset({"metadata":{"name":"source-test-scan-to-url"}, "kind": "ClusterSupplyChain"})
---
spec:
  resources:
  #@overlay/match by="name"
  #@overlay/remove
  - name: source-scanner
  #@overlay/match by="name"
  - name: image-provider
    sources:
    #@overlay/match by="name"
    - name: source
      resource: source-tester
EOF

Register the overlay as a Secret.
The following should be done for Build Cluster in case of Multi Cluster topology.

kubectl -n tap-install create secret generic ootb-supply-chain-testing-scanning-remove-source-scanner \
  -o yaml \
  --dry-run=client \
  --from-file=ootb-supply-chain-testing-scanning-remove-source-scanner.yaml \
  | kubectl apply -f-

Set the Secret name of the created overlay above to package_overlays in tap-values.yaml as follows.

package_overlays:
# ...
- name: ootb-supply-chain-testing-scanning
  secrets:
  - name: ootb-supply-chain-testing-scanning-remove-source-scanner 
  # ...

Update the packageinstall

tanzu package installed update -n tap-install tap -f tap-values.yaml

Before
image

After
image

Found a mistake? Update the entry.