Merge pull request #61727 from stevsmit/OSDOCS-3499-CSO-CLI

Updates scanning pods for vulernabilities docs

Author: stevsmit

modules/security-pod-scan-cso-using.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// * security/pod-vulnerabilities-scan.adoc
+
+:_content-type: PROCEDURE
+[id="security-pod-scan-cso-using_{context}"]
+= Using the {rhq-cso}
+
+The following procedure shows you how to use the {rhq-cso}. 
+
+.Prerequisites 
+
+* You have installed the {rhq-cso}. 
+
+.Procedure
+
+. On the {product-title} web console, navigate to *Home* -> *Overview*. Under the *Status* section, *Quay Image Security* provides the number of vulnerabilities found.
+
+. Click *Quay Image Security* to reveal the *Quay Image Security breakdown*, which details the severity of the vulnerabilities, whether the vulnerabilities can be fixed, and the total number of vulnerabilities. For example:
++
+image:image_security.png[Access image scanning data from {product-title} dashboard]
+
+. You can address detected vulnerabilities in one of two ways:
++
+.. Select the link to the vulnerability. This takes you to the container registry that the container came from, where you can see information about the vulnerability. The following example shows detected vulnerabilities from a Quay.io registry:
++
+image:cso-registry-vulnerable.png[The {rhq-cso} points you to a registry containing the vulnerable image]
+
+.. Select the *namespace* link. This takes you to the *ImageManifestVuln* page, where you can see the name of the selected image and all of the namespaces where that image is running. For example, the following image shows you that a particular vulnerable image is running in the `quay-enterprise` namespace: 
++
+image:cso-namespace-vulnerable.png[View namespaces a vulnerable image is running in]
+
+. After you have learned what images are vulnerable, how to fix those vulnerabilities, and the namespaces that the images are being run in, you can improve security by performing the following actions:
+
+.. Alert anyone in your organization who is running the image and request that they correct the vulnerability. 
+
+.. Stop the images from running by deleting the deployment or other object that started the pod that the image is in.
++
+[NOTE]
+====
+If you delete the pod, it might take several minutes for the vulnerability information to reset on the dashboard.
+====

modules/security-pod-scan-cso.adoc

@@ -1,72 +1,90 @@
 // Module included in the following assemblies:
 //
-// * security/pod-vulnerabilities-scan.adoc
+// * security/pod-vulnerability-scan.adoc
 
 :_content-type: PROCEDURE
 [id="security-pod-scan-cso_{context}"]
-= Running the {rhq-cso}
+= Installing the {rhq-cso}
 
-You can start the {rhq-cso} from the {product-title}
-web console by selecting and installing that Operator from the Operator Hub,
-as described here.
+You can install the {rhq-cso} from the {product-title} web console Operator Hub, or by using the CLI. 
 
 .Prerequisites
 
-* Have administrator privileges to the {product-title} cluster
-* Have containers that come from a Red Hat Quay or Quay.io registry running on your cluster
+* You have installed the `oc` CLI.
+* You have administrator privileges to the {product-title} cluster.
+* You have containers that come from a Red Hat Quay or Quay.io registry running on your cluster.
 
 .Procedure
 
-. Navigate to *Operators* -> *OperatorHub* and select *Security*.
+. You can install the {rhq-cso} by using the {product-title} web console:
 
-. Select the *Container Security* Operator, then select *Install*
-to go to the Create Operator Subscription page.
+.. On the web console, navigate to *Operators* -> *OperatorHub* and select *Security*.
 
-. Check the settings. All namespaces and automatic approval strategy are selected, by default.
+.. Select the *{rhq-cso}* Operator, and then select *Install*.
 
-. Select *Install*. The *Container Security* Operator appears after a few moments on the *Installed Operators* screen.
+.. On the *{rhq-cso}* page, select *Install*. *Update channel*, *Installation mode*, and *Update approval* are selected automatically. The *Installed Namespace* field defaults to `openshift-operators`. You can adjust these settings as needed.
 
-. Optional: You can add custom certificates to the {rhq-cso}. In this example, create a certificate
-named `quay.crt` in the current directory. Then run the following command to add the cert to the {rhq-cso}:
+.. Select *Install*. The *{rhq-cso}* appears after a few moments on the *Installed Operators* page.
+
+.. Optional: You can add custom certificates to the {rhq-cso}. For example, create a certificate named `quay.crt` in the current directory. Then, run the following command to add the custom certificate to the {rhq-cso}:
 +
 [source,terminal]
 ----
 $ oc create secret generic container-security-operator-extra-certs --from-file=quay.crt -n openshift-operators
 ----
 
-. If you added a custom certificate, restart the Operator pod for the new certs to take effect.
+.. Optional: If you added a custom certificate, restart the {rhq-cso} pod for the new certificates to take effect.
 
-. Open the OpenShift Dashboard (`Home` -> `Overview`). A link to
-*Quay Image Security* appears under the status section, with a listing of the number
-of vulnerabilities found so far. Select the link to see a *Quay Image Security breakdown*, as shown in the following figure:
-+
-image:image_security.png[Access image scanning data from {product-title} dashboard]
+. Alternatively, you can install the {rhq-cso} by using the CLI:
 
-. You can do one of two things at this point to follow up on any detected vulnerabilities:
-+
-*  Select the link to the vulnerability. You are taken to the container
-registry that the container came
-from, where you can see information about the vulnerability. The following
-figure shows an example of detected vulnerabilities from a Quay.io registry:
+.. Retrieve the latest version of the Container Security Operator and its channel by entering the following command:
 +
-image:cso-registry-vulnerable.png[The {rhq-cso} points you to a registry containing the vulnerable image]
+[source,terminal]
+----
+$ oc get packagemanifests container-security-operator \
+  -o jsonpath='{range .status.channels[*]}{@.currentCSV} {@.name}{"\n"}{end}' \
+  | awk '{print "STARTING_CSV=" $1 " CHANNEL=" $2 }' \
+  | sort -nr \
+  | head -1
+----
 +
-* Select the namespaces link to go to the *ImageManifestVuln* screen,
-where you can see the name of the selected image
-and all namespaces where that image is running.
-The following figure indicates that a particular vulnerable image
-is running in the `quay-enterprise` namespace:
+.Example output
 +
-image:cso-namespace-vulnerable.png[View namespaces a vulnerable image is running in]
-
-At this point, you know what images are vulnerable, what
-you need to do to fix those vulnerabilities,
-and every namespace that the image was run in. So you can:
+[source,terminal]
+----
+STARTING_CSV=container-security-operator.v3.8.9 CHANNEL=stable-3.8
+----
 
-* Alert anyone running the image that
-they need to correct the vulnerability
-* Stop the images from running by deleting the deployment
-or other object that started the pod that the image is in
+.. Using the output from the previous command, create a `Subscription` custom resource for the {rhq-cso} and save it as `container-security-operator.yaml`. For example:
++
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: container-security-operator
+  namespace: openshift-operators
+spec:
+  channel: ${CHANNEL} <1>
+  installPlanApproval: Automatic
+  name: container-security-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+  startingCSV: ${STARTING_CSV} <2>
+----
+<1> Specify the value you obtained in the previous step for the `spec.channel` parameter. 
+<2> Specify the value you obtained in the previous step for the `spec.startingCSV` parameter. 
 
-Note that if you do delete the pod, it may take several minutes
-for the vulnerability to reset on the dashboard.
+.. Enter the following command to apply the configuration:
++
+[source,terminal]
+----
+$ oc apply -f container-security-operator.yaml
+----
++
+.Example output
++
+[source,terminal]
+----
+subscription.operators.coreos.com/container-security-operator created
+----

modules/security-pod-scan-query-cli.adoc

@@ -1,20 +1,20 @@
 // Module included in the following assemblies:
 //
-// * security/pod-vulnerabilities-scan.adoc
+// * security/pod-vulnerability-scan.adoc
 
 :_content-type: PROCEDURE
 [id="security-pod-scan-query-cli_{context}"]
 = Querying image vulnerabilities from the CLI
-Using the `oc` command, you can display information about
-vulnerabilities detected by the {rhq-cso}.
+
+Using the `oc` command, you can display information about vulnerabilities detected by the {rhq-cso}.
 
 .Prerequisites
-* Be running the {rhq-cso} on your
-{product-title} instance
+
+* You have installed the {rhq-cso} on your {product-title} instance.
 
 .Procedure
 
-* To query for detected container image vulnerabilities, type:
+. Enter the following command to query for detected container image vulnerabilities:
 +
 [source,terminal]
 ----
@@ -29,9 +29,7 @@ default       sha256.ca90...    6m56s
 skynet        sha256.ca90...    9m37s
 ----
 
-* To display details for a particular vulnerability, provide the
-vulnerability name and its namespace to the `oc describe` command.
-This example shows an active container whose image includes an RPM package with a vulnerability:
+. To display details for a particular vulnerability, append the vulnerability name and its namespace to the `oc describe` command. The following example shows an active container whose image includes an RPM package with a vulnerability:
 +
 [source,terminal]
 ----

security/pod-vulnerability-scan.adoc

@@ -23,6 +23,7 @@ namespace, so it is available to all namespaces on your {product-title} cluster.
 
 //
 include::modules/security-pod-scan-cso.adoc[leveloffset=+1]
+include::modules/security-pod-scan-cso-using.adoc[leveloffset=+1]
 
 //
 include::modules/security-pod-scan-query-cli.adoc[leveloffset=+1]