# 第十题 Image Security
###### tags: `真题讲解`
切换集群kubectl config use-context k8s
**Task**
Use the Trivy open-source container scanner to detect images with severe vulnerabilities used by Pods in the namespace **yavin**.
Look for images with **High** or **Critical** severity vulnerabilities,and delete the Pods that use those images.
Trivy is pre-installed on the cluster's master node only; it is not available on the base system or the worker nodes. You'll have to connect to the cluster's master node to use Trivy.
## 解法
根据题意登录到Master Node, 先查询出ns yavin中所有Pod所用的镜像
```
kubectl get pod -n yavin
// 罗列出所有Pod
kubectl get -n yavin pod products-service -oyaml |grep -i "image"
// 逐个查询出Pod所用的Image
```
根据题意, 使用Trivy扫描上一步的出来的镜像名称, 用grep来过滤, 只要出现结果就说明镜像不满足要求.
```
root@ubuk8s-vm01:~# trivy rock981119/net-tools:v2 |grep -iE "High | Critical"
Total: 108 (UNKNOWN: 0, LOW: 39, MEDIUM: 64, HIGH: 5, CRITICAL: 0)
| libgnutls30 | CVE-2020-13777 | HIGH | 3.6.13-2ubuntu1 | 3.6.13-2ubuntu1.1 | gnutls: session resumption works |
| libssl1.1 | CVE-2020-1971 | HIGH | 1.1.1f-1ubuntu2 | 1.1.1f-1ubuntu2.1 | openssl: EDIPARTYNAME |
| openssl | CVE-2020-1971 | HIGH | 1.1.1f-1ubuntu2 | 1.1.1f-1ubuntu2.1 | openssl: EDIPARTYNAME |
```
**Tips**:
注意读题, 实际考试中每个Pod可能都是来自一个Deployment的, 如果要删除Pod则要删除Deployment, 或编辑Deployment将其replica将为0.
Sign in with Wallet
Connect another wallet