project-copacetic
[QUESTION] Managing Vulnerabilities in third party apps
What is your question?
When creating EKS or AKS clusters, we often include various platform managing applications such as ArgoCD, secret operators, or ingress controllers like NGINX/Kong, which are usually installed via ready-made Helm charts.
While it's possible to integrate Copacetic into the CI/CD pipeline to scan and remove vulnerabilities for custom-built applications, we are seeking guidance on how to handle vulnerabilities in these pre-built images that come with readily available Helm charts.
Are there any recommended practices or workflows for incorporating vulnerability management into the deployment of these platform apps?
Any suggestions or insights on this would be appreciated.
@smartaquarius10 that's a great question!
do you mean managed addons from cloud providers like AKS? do you know if these addons are reconciled? if so, even if you patch them, they might be reconciled back to their original image.
for any non-reconciled deployments, https://github.com/ChristofferNissen/helmper integrates with copa to mirror helm charts while patching images. would this help for your use case?
@sozercan thanks for the quick reply. I am not referring to managed addons.
Referring to the deployments which we generally spin for better management of the platform let say datadog, argo cd etc.
I need to check this helmper but currently, we are deploying these third party addons using terraform.
- Is it possible to use helmper within terraform
- Helmer expect copacetic to be accessible at some address like tcp://0.0.0.0:8888. While using github actions(CI/CD) is it possible to host copacetic on an address in the temporary environment. Isn’t it a cli?
- We use prisma scan. I’ve already written the custom adapter to pass with copacetic but, does helmer accept that
- is copacetic production/GA ready or its still in beta phase. I can see that major version is still 0.
@sozercan Hey, hope you are doing great. Just a gentle reminder. Could you please help me with the follow up queries. Thanks
@smartaquarius10 Copa will not be accessed at tcp://0.0.0.0:8888, that is the connection to BuildKit that is set up in Helmper. @ChristofferNissen may know better if Helmper can be used within terraform and what specifically Helmper can accept. The scanner plug in you have created would need to passed in as a flag into Copa to patch with prisma scan. We currently use Copa in our build pipelines internally to scan and patch container images.
@ashnamehrotra Thank you for the update. But have u used copa for third party open source apps for eg. argo-cd, kong, nginx etc.
Do you consider it wise to use copa for patching them.
@ashnamehrotra The problem we are facing is with third party apps. Custom apps are in our control. We can manage. But third party is the problem area
@smartaquarius10 yes, if you are referring to patching the images before deployment for the open source apps like nginx, that would be possible.
@ashnamehrotra yes but have you tried that with helmer. Is it stable and worth trying. Whats your experience after integrating it with copa
@smartaquarius10 I have not tried it yet, it might be better to ask in the Helmper repo directly.
@ashnamehrotra I reached out to Helmper. But did not get any response there. Anyways, thank you so much you really helped a lot. I'll try these things with third party apps. I hope it works smoothly. Will reach out in case of any issue. Thanks once again :) Closing the issue