Deploy on Kubernetes using Helm
The supported method for deploying Anchore Enterprise on Kubernetes is with Helm. The Anchore Enterprise Helm Chart includes configuration options for a full Enterprise deployment.
Note
Always consult the chart README and release notes prior to deployment or upgrade as this contains the most current information on deployment configuration.About the Helm Chart
Important Release Notes can be found in the README in the chart repository
The chart is split into global and service specific configurations for the core features, as well as global and services specific configurations for the optional Enterprise services.
- The
anchoreConfig
section of the values file contains the application configuration for Anchore Enterprise. This includes the database connection information, credentials, and other application settings. - Anchore services run as a kubernetes deployment when installed with the Helm chart. Each service has its own section in the values file for making customizations and configuring the kubernetes deployment spec.
For a description of each service component see Anchore Enterprise Service Overview
Note If you are moving from the Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, see here for further guidance.
Prerequisites
See the README in the chart repository for prerequisites before starting the deployment.
Installing the Chart
This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the Configuration section of the chart README for additional guidance on production deployments.
Create the namespace: The steps to follow will require the namespace to have been created already.
export NAMESPACE=anchore
kubectl create namespace ${NAMESPACE}
Create a Kubernetes Secret for License File: Generate a Kubernetes secret to store your Anchore Enterprise license file.
export NAMESPACE=anchore
export LICENSE_PATH="license.yaml"
kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=${LICENSE_PATH} -n ${NAMESPACE}
Create a Kubernetes Secret for DockerHub Credentials: Generate another Kubernetes secret for DockerHub credentials. These credentials should have access to private Anchore Enterprise repositories. We recommend that you create a brand new DockerHub user for these pull credentials. Contact Anchore Support to obtain access.
export NAMESPACE=anchore
export DOCKERHUB_PASSWORD="password"
export DOCKERHUB_USER="username"
export DOCKERHUB_EMAIL="[email protected]"
kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=${DOCKERHUB_USER} --docker-password=${DOCKERHUB_PASSWORD} --docker-email=${DOCKERHUB_EMAIL} -n ${NAMESPACE}
Add Chart Repository & Deploy Anchore Enterprise: Create a custom values file, named anchore_values.yaml
, to override any chart parameters. Refer to the Parameters section for available options.
Important: Default passwords are specified in the chart. It’s highly recommended to modify these before deploying.
Note: The RELEASE variable should not contain any dots.
export NAMESPACE=anchore
export RELEASE=my-release
helm repo add anchore https://charts.anchore.io
helm install ${RELEASE} -n ${NAMESPACE} anchore/enterprise -f anchore_values.yaml
Note: This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the External Database section of the chart README for details on using an external database.
Post-Installation Steps: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities, and the UI will show errors until this sync is complete. This can take several hours based on the enabled feeds. Use the following anchorectl commands to check the system status:
export NAMESPACE=anchore
export RELEASE=my-release
export ANCHORECTL_URL=http://localhost:8228
export ANCHORECTL_PASSWORD=$(kubectl get secret "${RELEASE}-enterprise" -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' | base64 -d -)
kubectl port-forward -n ${NAMESPACE} svc/${RELEASE}-enterprise-api 8228:8228 # port forward for anchorectl in another terminal
anchorectl system status # anchorectl defaults to the user admin, and to the password ${ANCHORECTL_PASSWORD} automatically if set
Tip: List all releases using helm list
Next Steps
Now that you have Anchore Enterprise running, you can begin to learning more about Anchore Enterprise architecture, Anchore concepts, and Anchore usage.
- To learn more about Anchore Enterprise, go to Overview
- To learn more about Anchore Concepts, go to Concepts
1 - Deploying Anchore Enterprise on Azure Kubernetes Service (AKS)
This document will walk you through the deployment of Anchore Enterprise in an Azure Kubernetes Service (AKS) cluster and expose it on the public Internet.
Prerequisites
- A running AKS cluster with worker nodes launched. See AKS Documentation for more information on this setup.
- Helm client on local host.
- AnchoreCTL installed on a local host.
Once you have an AKS cluster up and running with worker nodes launched, you can verity via the following command.
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
aks-nodepool1-28659018-0 Ready agent 4m13s v1.13.10
aks-nodepool1-28659018-1 Ready agent 4m15s v1.13.10
aks-nodepool1-28659018-2 Ready agent 4m6s v1.13.10
Anchore Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:
- Anchore Enterprise software
- PostgreSQL (13 or higher)
- Redis (7 or higher)
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml
file and reference it during deployment. There are many options for configuration with Anchore, this document is intended to cover the minimum required changes to successfully deploy Anchore Enterprise in AKS.
Note: For this installation, an NGINX ingress controller will be used. You can read more about Kubernetes Ingress in AKS here.
Azure Flexible Postgres
For production deployments we generally favor cloud-provider managed databases over using the built-in chart. This ensures the database is isolated from workloads allowing it to use CPU & Memory without contention. We suggest selecting a storage option that allows for automatic size increase.
If you choose to use Azure Flexible Postgres ensure that you make the following changes for compatibility with Anchore:
- pgbouncer.enabled: false - It is very important that this setting be turned off!
- idle_in_transaction_session_timeout: 0
- max_connections should be at least 500. The default is based on the amount of instance memory. 16GB or larger instances will have high enough max_connections setting by default.
Refer to configuration settings in the chart for Amazon RDS: https://github.com/anchore/anchore-charts/tree/main/stable/enterprise#external-database-requirements (Configuring an external database in the chart is the essentially the same for RDS or Azure Flexible Postgres).
Configurations
For nginx Ingress make the following changes below to your anchore_values.yaml
Ingress
ingress:
enabled: true
labels: {}
apiPaths:
- /v2/
- /version/
uiPath: /
annotations:
kubernetes.io/ingress.class: nginx
Note: Configuring ingress is optional. It is used throughout this guide to expose the Anchore deployment on the public internet.
Anchore API Service
# Pod configuration for the anchore api service.
api:
# kubernetes service configuration for anchore external API
service:
type: NodePort
port: 8228
annotations: {}
Note: Changed the service type to NodePort
Anchore Enterprise UI
ui:
# kubernetes service configuration for anchore UI
service:
type: NodePort
port: 80
annotations: {}
sessionAffinity: ClientIP
Note: Changed service type to NodePort.
Install NGINX Ingress Controller
Using Helm, install an NGINX ingress controller in your AKS cluster.
Please note that we are using Nginx ingress as an example.
You may use whatever ingress you choose.
helm install stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
Deploy Anchore Enterprise
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.
Create a Kubernetes secret containing your license file:
kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>
Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise software:
kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>
Deploy Anchore Enterprise:
helm repo add anchore https://charts.anchore.io
helm install anchore anchore/enterprise -f anchore_values.yaml
It will take the system several minutes to bootstrap. You can checks on the status of the pods by running kubectl get pods
:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs 1/1 Running 0 13m
anchore-enterprise-api-754cdb48bc-x8kxt 3/3 Running 0 13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb 1/1 Running 0 13m
anchore-enterprise-notifications-65bd45459f-q28h2 2/2 Running 0 13m
anchore-enterprise-policy-657fdfd7f6-gzkmh 1/1 Running 0 13m
anchore-enterprise-reports-596cb47894-q8g49 1/1 Running 0 13m
anchore-enterprise-simplequeue-98b95f985-5xqcv 1/1 Running 0 13m
anchore-enterprise-ui-6794bbd47-vxljt 1/1 Running 0 13m
anchore-feeds-77b8976c4c-rs8h2 1/1 Running 0 13m
anchore-feeds-db-0 1/1 Running 0 13m
anchore-postgresql-0 1/1 Running 0 13m
anchore-ui-redis-master-0 1/1 Running 0 13m
mangy-serval-nginx-ingress-controller-788dd98c8b-jv2wg 1/1 Running 0 21m
mangy-serval-nginx-ingress-default-backend-8686cd585b-4m2bt 1/1 Running 0 21m
We can see that NGINX ingress controller has been installed as well from the previous step. You can view the services by running the following command:
$ kubectl get services | grep ingress
mangy-serval-nginx-ingress-controller LoadBalancer 10.0.30.174 40.114.26.147 80:31176/TCP,443:30895/TCP 22m
mangy-serval-nginx-ingress-default-backend ClusterIP 10.0.243.221 <none> 80/TCP 22m
Note: The above output shows us that IP address of the NGINX ingress controller is 40.114.26.147. Going to this address in the browser will take us to the Anchore login page.

Anchore System
Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:
Note: Read more on Deploying AnchoreCTL
ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
Anchore Feeds
It can take 5 minutes or more to fetch all of the vulnerability feeds from the Anchore Data Service. Check on the status of feeds with AnchoreCTL:
ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list
Note: It is not uncommon for the above command to return a: []
as the initial feed sync occurs.
Once the vulnerability feed sync is complete, Anchore can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.
2 - Deploying Anchore Enterprise on Amazon EKS
This section provides information on how to deploy Anchore Enterprise onto Amazon EKS. Here is recommended architecture on AWS EKS:

Prerequisites
You’ll need a running Amazon EKS cluster with worker nodes. See EKS Documentation for more information on this setup.
Once you have an EKS cluster up and running with worker nodes launched, you can verify it using the following command:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-192-168-2-164.ec2.internal Ready <none> 10m v1.14.6-eks-5047ed
ip-192-168-35-43.ec2.internal Ready <none> 10m v1.14.6-eks-5047ed
ip-192-168-55-228.ec2.internal Ready <none> 10m v1.14.6-eks-5047ed
In order to deploy the Anchore Enterprise services, you’ll then need the Helm client installed on local host.
Deployment via Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process.
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml
file and reference it during deployment. There are many options for configuration with Anchore. The following is intended to cover the recommended changes for successfully deploying Anchore Enterprise on Amazon EKS.
Configurations
The following configurations should be used when deploying on EKS.
RDS
Anchore recommends utilizing Amazon RDS for a managed database service, rather than the Anchore chart-managed postgres. For information on how to configure for an external RDS database, see Amazon RDS. It is suggested to allow the storage to automatically increase as needed.
S3 Object Storage
Anchore supports the use of S3 object storage for archival of SBOMs, configuration details can be found here. Consider using the iamauto: True
option to utilise IAM roles for access to S3.
PVCs
Anchore by default uses ephemeral storage for pods but we recommend configuring Analyzer scratch space, at a minimum. Further details can be found here.
Anchore generally recommends providing EBS-backed storage for analyzer scratch of the gp3 type. Note that you will need to follow the AWS guide on storing K8s volumes with Amazon EBS. Once the CSI driver is configured for your cluster, you will then need to configure your helm chart with values similar to this:
analyzer:
scratchVolume:
details:
ephemeral:
volumeClaimTemplate:
metadata: {}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
# must be 3xANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB + analyser_cache_size
# Setting this to 100G would mean the largest image you can scan is 30G (not counting analysis cache if you choose to configure that)
storage: 100Gi
# this would refer to whatever your storage class was named
storageClassName: "gp3"
Ingress
Anchore recommends using the AWS load balancer controller or EKS Auto Mode (https://docs.aws.amazon.com/eks/latest/userguide/auto-configure-alb.html) for ingress.
We also suggest using a vanity domain (anchore.mydomain.com in the example below) over TLS with Route53 & ACM however this goes beyond the scope of this document.
Here is a sample manifest for use with the AWS LBC or EKS Auto Mode ALB ingress:
ingress:
enabled: true
apiPaths:
- /v2/
- /version/
uiPath: /
ingressClassName: alb
annotations:
# See https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md for further customization of annotations
alb.ingress.kubernetes.io/scheme: internet-facing
# If you do not plan to bring your own hostname (i.e. use the AWS supplied CNAME for the load balancer) then you can leave apiHosts & uiHosts as empty lists:
#apiHosts: []
#uiHosts: []
# If you plan to bring your own hostname then you'll likely want to populate them as follows:
apiHosts:
- anchore.mydomain.com
uiHosts:
- anchore.mydomain.com
Note
There are alternative ways to access services within your EKS cluster besides LBC ingress.You must also configure/change the following from ClusterIP
to NodePort
:
For the Anchore API Service:
# Pod configuration for the anchore engine api service.
api:
# kubernetes service configuration for anchore external API
service:
type: NodePort
port: 8228
annotations: {}
For the Anchore Enterprise UI Service:
ui:
# kubernetes service configuration for anchore UI
service:
type: NodePort
port: 80
annotations: {}
sessionAffinity: ClientIP
For users of Amazon ALB:
Users of ALB may want to align the timeout between gunicorn & ALB. The AWS ALB Connection idle timeout defaults to 60 seconds. The Anchore Helm charts have a timeout setting that defaults to 5 seconds which should be aligned with the ALB timeout setting.
Sporatic HTTP 502 errors may be emitted by the ALB if the timeouts are not in alignment. Please see this reference:
Note
Changed timeout_keep_alive from 5 to 65 to align with the ALB’s default timeout of 60.anchoreConfig:
server:
timeout_keep_alive: 65
Install Anchore Enterprise
Deploy Anchore Enterprise by following the instructions here.
Verify Ingress
Run the following command for details on the deployed ingress resource using the ELB:
$ kubectl describe ingress
Name: anchore-enterprise
Namespace: default
Address: xxxxxxx-default-anchoreen-xxxx-xxxxxxxxx.us-east-1.elb.amazonaws.com
Default backend: default-http-backend:80 (<none>)
Rules:
Host Path Backends
---- ---- --------
*
/v2/* anchore-enterprise-api:8228 (192.168.42.122:8228)
/* anchore-enterprise-ui:80 (192.168.14.212:3000)
Annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
kubernetes.io/ingress.class: alb
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14m alb-ingress-controller LoadBalancer 904f0f3b-default-anchoreen-d4c9 created, ARN: arn:aws:elasticloadbalancing:us-east-1:077257324153:loadbalancer/app/904f0f3b-default-anchoreen-d4c9/4b0e9de48f13daac
Normal CREATE 14m alb-ingress-controller rule 1 created with conditions [{ Field: "path-pattern", Values: ["/v2/*"] }]
Normal CREATE 14m alb-ingress-controller rule 2 created with conditions [{ Field: "path-pattern", Values: ["/*"] }]
The output above shows that an ELB has been created. Next, try navigating to the specified URL in a browser:

Verify Anchore Service Status
Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:
Note: Read more on Deploying AnchoreCTL
ANCHORECTL_URL=http://xxxxxx-default-anchoreen-xxxx-xxxxxxxxxx.us-east-1.elb.amazonaws.com ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
3 - Deploying Anchore Enterprise on Google Kubernetes Engine (GKE)
Get an understanding of deploying Anchore Enterprise on a Google Kubernetes Engine (GKE) cluster and exposing it on the public Internet.
Note when using Google Cloud, consider utilizing Cloud SQL for PostgreSQL as a managed database service.
Prerequisites
- A running GKE cluster with worker nodes launched. See GKE Documentation for more information on this setup.
- Helm client installed on local host.
- AnchoreCTL installed on local host.
Once you have a GKE cluster up and running with worker nodes launched, you can verify it by using the followiing command.
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
gke-standard-cluster-1-default-pool-c04de8f1-hpk4 Ready <none> 78s v1.13.7-gke.24
gke-standard-cluster-1-default-pool-c04de8f1-m03k Ready <none> 79s v1.13.7-gke.24
gke-standard-cluster-1-default-pool-c04de8f1-mz3q Ready <none> 78s v1.13.7-gke.24
Anchore Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:
- Anchore Enterprise software
- PostgreSQL (13 or higher)
- Redis (4)
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml
file and reference it during deployment. There are many options for configuration with Anchore. The following is intended to cover the minimum required changes to successfully deploy Anchore Enterprise on Google Kubernetes Engine.
Note: For this deployment, a GKE ingress controller will be used. You can read more about Kubernetes Ingress with a GKE Ingress Controller here
Configurations
Make the following changes below to your anchore_values.yaml
Ingress
ingress:
enabled: true
apiPaths:
- /v2/*
uiPath: /*
Note: Configuring ingress is optional. It is used throughout this guide to expose the Anchore deployment on the public internet.
Anchore API Service
api:
replicaCount: 1
# kubernetes service configuration for anchore external API
service:
type: NodePort
port: 8228
annotations: {}
Note: Changed the service type to NodePort
Anchore Enterprise UI
ui:
# kubernetes service configuration for anchore UI
service:
type: NodePort
port: 80
annotations: {}
sessionAffinity: ClientIP
Note: Changed service type to NodePort.
Anchore Enterprise Deployment
Create Secrets
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.
Create a Kubernetes secret containing your license file:
kubectl create secret generic anchore-enterprise-license --from-file=license.yaml=<PATH/TO/LICENSE.YAML>
Create a Kubernetes secret containing DockerHub credentials with access to the private Anchore Enterprise software:
kubectl create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<DOCKERHUB_USER> --docker-password=<DOCKERHUB_PASSWORD> --docker-email=<EMAIL_ADDRESS>
Deploy Anchore Enterprise:
helm repo add anchore https://charts.anchore.io
helm install anchore anchore/enterprise -f anchore_values.yaml
It will take the system several minutes to bootstrap. You can checks on the status of the pods by running kubectl get pods
:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs 1/1 Running 0 13m
anchore-enterprise-api-754cdb48bc-x8kxt 3/3 Running 0 13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb 1/1 Running 0 13m
anchore-enterprise-notifications-65bd45459f-q28h2 2/2 Running 0 13m
anchore-enterprise-policy-657fdfd7f6-gzkmh 1/1 Running 0 13m
anchore-enterprise-reports-596cb47894-q8g49 1/1 Running 0 13m
anchore-enterprise-simplequeue-98b95f985-5xqcv 1/1 Running 0 13m
anchore-enterprise-ui-6794bbd47-vxljt 1/1 Running 0 13m
anchore-feeds-77b8976c4c-rs8h2 1/1 Running 0 13m
anchore-feeds-db-0 1/1 Running 0 13m
anchore-postgresql-0 1/1 Running 0 13m
anchore-ui-redis-master-0 1/1 Running 0 13m
Run the following command for details on the deployed ingress resource:
$ kubectl describe ingress
Name: anchore-enterprise
Namespace: default
Address: 34.96.64.148
Default backend: default-http-backend:80 (10.8.2.6:8080)
Rules:
Host Path Backends
---- ---- --------
*
/v2/* anchore-enterprise-api:8228 (<none>)
/* anchore-enterprise-ui:80 (<none>)
Annotations:
kubernetes.io/ingress.class: gce
ingress.kubernetes.io/backends: {"k8s-be-31175--55c0399dc5755377":"HEALTHY","k8s-be-31274--55c0399dc5755377":"HEALTHY","k8s-be-32037--55c0399dc5755377":"HEALTHY"}
ingress.kubernetes.io/forwarding-rule: k8s-fw-default-anchore-enterprise--55c0399dc5750
ingress.kubernetes.io/target-proxy: k8s-tp-default-anchore-enterprise--55c0399dc5750
ingress.kubernetes.io/url-map: k8s-um-default-anchore-enterprise--55c0399dc5750
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal ADD 15m loadbalancer-controller default/anchore-enterprise
Normal CREATE 14m loadbalancer-controller ip: 34.96.64.148
The output above shows that an Load Balancer has been created. Navigate to the specified URL in a browser:

Anchore System
Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:
Note: Read more on Deploying AnchoreCTL
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
Anchore Feeds
It can take some time to fetch all of the vulnerability feeds from the upstream data sources. Check on the status of feeds with Anchore CTL:
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list
Note: It is not uncommon for the above command to return a: []
as the initial feed sync occurs.
Once the vulnerability feed sync is complete, Anchore can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.
4 - Deploying Anchore Enterprise on OpenShift
This document will walkthrough the deployment of Anchore Enterprise on an OpenShift Kubernetes Distribution (OKD) 3.11 cluster and expose it on the public internet.
Note: While this document walks through deploying on OKD 3.11, it has been successfully deployed and tested on OpenShift 4.2.4 and 4.2.7.
Prerequisites
- A running OpenShift Kubernetes Distribution (OKD) 3.11 cluster. Read more about the installation requirements here.
- Note: If deploying to a running OpenShift 4.2.4+ cluster, read more about the installation requirements here.
- Helm client and server installed and configured with your cluster.
- AnchoreCTL installed on local host.
Anchore Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise installation of the chart will include the following:
- Anchore Enterprise Software
- PostgreSQL (13)
- Redis 17
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml
file and reference it during deployment. There are many options for configuration with Anchore, this document is intended to cover the minimum required changes to successfully deploy Anchore Enterprise on OKD 3.11.
OpenShift Configurations
Create a new project
Create a new project called anchore-enterprise:
oc new-project anchore-enterprise
Create secrets
Two secrets are required for an Anchore Enterprise deployment.
Create a secret for the license file:
oc create secret generic anchore-enterprise-license --from-file=license.yaml=license.yaml
Create a secret for pulling the images:
oc create secret docker-registry anchore-enterprise-pullcreds --docker-server=docker.io --docker-username=<username> --docker-password=<password> --docker-email=<email>
Verify these secrets are in the correct namespace: anchore-enterprise
oc describe secret <secret-name>
Link ImagePullSecret
Link the above Docker registry secret to the default service account:
oc secrets link default anchore-enterprise-pullcreds --for=pull --namespace=anchore-enterprise
Verify this by running the following:
oc describe sa
Note: Validate your OpenShift SCC. Based on the security constraints of your environment, you may need to change SCC. oc adm policy add-scc-to-user anyuid -z default
Anchore Configurations
Create a custom anchore_values.yaml
file for your Anchore Enterprise deployment:
# NOTE: This is not a production ready values file for an openshift deployment.
securityContext:
fsGroup: null
runAsGroup: null
runAsUser: null
postgresql:
primary:
containerSecurityContext:
enabled: false
podSecurityContext:
enabled: false
ui-redis:
master:
podSecurityContext:
enabled: false
containerSecurityContext:
enabled: false
Install software
Run the following command to install the software:
helm repo add anchore https://charts.anchore.io
helm install anchore -f values.yaml anchore/enterprise
It will take the system several minutes to bootstrap. You can checks on the status of the pods by running oc get pods
:
$ oc get pods
NAME READY STATUS RESTARTS AGE
anchore-enterprise-analyzer-7f9c7c65c8-tp8cs 1/1 Running 0 13m
anchore-enterprise-api-754cdb48bc-x8kxt 1/1 Running 0 13m
anchore-enterprise-catalog-64d4b9bb8-x8vmb 1/1 Running 0 13m
anchore-enterprise-notifications-65bd45459f-q28h2 1/1 Running 0 13m
anchore-enterprise-policy-657fdfd7f6-gzkmh 1/1 Running 0 13m
anchore-enterprise-reports-596cb47894-q8g49 1/1 Running 0 13m
anchore-enterprise-simplequeue-98b95f985-5xqcv 1/1 Running 0 13m
anchore-enterprise-ui-6794bbd47-vxljt 1/1 Running 0 13m
anchore-enterprise-datasyncer-585997576d-2fgkg 1/1 Running 0 13m
anchore-enterprise-reportsworker-6fb4f55455-f2ts2 1/1 Running 0 13m
anchore-postgresql-0 1/1 Running 0 13m
anchore-ui-redis-master-0 1/1 Running 0 13m
Create route objects
Create two route object in the OpenShift console to expose the UI and API services on the public internet:
Note: Route configuration is optional. It is used throughout this guide to expose the Anchore deployment on the public internet.
API Route

UI Route

Routes

Verify by navigating to the anchore-enterprise-ui route hostname:

Anchore System
First you will need to retrieve the admin password. This is stored as a secret during the helm install process
oc get secret anchore-enterprise-env -o jsonpath='{.data.ANCHORE_ADMIN_PASSWORD}' -n anchore | base64 -d
You can use customize your helm values.yaml file to use an existing / custom secrets rather than have help generate one for you with a generated password.
Verify API route hostname with AnchoreCTL:
Note: Read more on Deploying AnchoreCTL
ANCHORECTL_URL=http://anchore-engine-anchore-enterprise.apps.54.84.147.202.nip.io \
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl system status
#### Anchore Vulnerability data
Anchore has a datasyncer service that pulls the vulnerability and other data sources such as ClamAV malware database into your Anchore deployment. You can check on the status of these feed data using AnchoreCTL:
```shell
ANCHORECTL_URL=http://anchore-engine-anchore-enterprise.apps.54.84.147.202.nip.io \
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl feed list
Note: Please continue to the Vulnerability Management section of our documentation for more information about Vulnerability Management within Anchore.