using Snyk with a remote Docker daemon running in Kubernetes

_README.md

Start a Docker cluster running on Kubernetes using the provided deployment file. Note this is intended to demonstrate what's possible and hardcodes a few values. The cluster is also set to run without TLS, which in production you would probably want to configure.

kubectl apply -f docker-deployment.yaml

This should give you a running Docker engine and service.

$ kubectl get all
NAME                         READY   STATUS    RESTARTS   AGE
pod/docker-859885c8f-vpxds   1/1     Running   0          3m38s

NAME                 TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)          AGE
service/docker       NodePort    10.110.118.119   <none>        2375:31159/TCP   3m38s
service/kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP          2d17h

NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/docker   1/1     1            1           3m38s

NAME                               DESIRED   CURRENT   READY   AGE
replicaset.apps/docker-859885c8f   1         1         1       3m38

Let's demonstrate using that from a local client. Node the port is hardcoded in the Service configuration in this case, but wouldn't be needed for internal cluster access. In fact you should avoid exposing it externally at all.

$ export DOCKER_HOST=tcp://0.0.0.0:31159
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAME

This should allow you to test a container image using Snyk, using the remote engine. First you need to pull the image:

$ docker pull alpine
Using default tag: latest
latest: Pulling from library/alpine
89d9c30c1d48: Pull complete
Digest: sha256:c19173c5ada610a5989151111163d28a67368362762534d8a8121ce95cf2bd5a
Status: Downloaded newer image for alpine:latest
docker.io/library/alpine:latest

Then run Snyk as usual:

$ snyk test --docker alpine

Testing alpine...

Organization:      garethr
Package manager:   apk
Docker image:      alpine
Licenses:          enabled

✓ Tested 14 dependencies for known issues, no vulnerable paths found.

You can also use a Docker client inside the cluster. Here's an interactive example, but this should work with any arbitrary pods.

$ kubectl run client --attach -it --env "DOCKER_HOST=tcp://docker:2375" --image=docker:latest

If you don't see a command prompt, try pressing enter.

/ # docker version
Client: Docker Engine - Community
 Version:           19.03.5
 API version:       1.40
 Go version:        go1.12.12
 Git commit:        633a0ea838
 Built:             Wed Nov 13 07:22:05 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.5
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.12.12
  Git commit:       633a0ea838
  Built:            Wed Nov 13 07:28:45 2019
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.2.10
  GitCommit:        b34a5c8af56e510852c35414db4c1f4fa6172339
 runc:
  Version:          1.0.0-rc8+dev
  GitCommit:        3e425f80a8c931f88e6d94a8c831b9d5aa481657
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683

docker-deployment.yaml

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: docker
  name: docker
spec:
  replicas: 1
  strategy: {}
  template:
    metadata:
      labels:
        app.kubernetes.io/name: docker
    spec:
      containers:
      - env:
        - name: DOCKER_HOST
          value: tcp://0.0.0.0:2375
        - name: DOCKER_TLS_CERTDIR
          value: "-1"
        image: docker:dind
        name: docker
        ports:
        - containerPort: 2375
        securityContext:
          privileged: true
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: docker
  name: docker
spec:
  ports:
  - nodePort: 31159
    port: 2375
    protocol: TCP
    targetPort: 2375
  type: NodePort
  selector:
    app.kubernetes.io/name: docker