Merge pull request #157 from snyk/chore/static-analysis-docs

chore: static analysis docs

Author: ivanstanev

README.md

@@ -5,11 +5,12 @@ Container to monitor Kubernetes clusters' security
 
 ## Prerequisites ##
 
-*Note that at present the monitor works only if using Docker as the container runtime.*
+*Note that by default the monitor uses Docker to scan your cluster and requires Docker to be your container runtime.*
+*Alternatively, you can enable static analysis, which allows the use of any container runtime.*
 
 The Snyk monitor (`kubernetes-monitor`) requires some minimal configuration items in order to work correctly.
 
-As with any k8s deployment, the `kubernetes-monitor` runs within a single namespace.
+As with any Kubernetes deployment, the `kubernetes-monitor` runs within a single namespace.
 If you do not already have access to a namespace where you want to deploy the monitor, you can run the following command to create one:
 ```shell
 kubectl create namespace snyk-monitor
@@ -19,29 +20,29 @@ Notice our namespace is called _snyk-monitor_ and it is used for the following c
 
 The Snyk monitor relies on using your Snyk Integration ID, and using a `dockercfg` file. The `dockercfg` file is necessary to allow the monitor to look up images in private registries. Usually a copy of the `dockercfg` resides in `$HOME/.docker/config.json`.
 
-Both of these items must be provided by a k8s secret. The secret must be called _snyk-monitor_. The steps to create the secret are as such:
+Both of these items must be provided from a Kubernetes secret. The secret must be called _snyk-monitor_. The steps to create the secret are as such:
 
 1. Create a file named `dockercfg.json`. Store your `dockercfg` in there; it should look like this:
 
 ```json
 {
   "auths": {
     "gcr.io": {
-      "auth": "<BASE64-ENCODED-AUTH-DETAILS>"
+      "auth": "BASE64-ENCODED-AUTH-DETAILS"
     }
     // Add other registries as necessary
   }
 }
 ```
 
 2. Locate your Snyk Integration ID from the Snyk Integrations page (navigate to https://app.snyk.io/org/YOUR-ORGANIZATION-NAME/manage/integrations/kubernetes) and copy it.
-The Snyk Integration ID looks similar to the following:
+The Snyk Integration ID is a UUID and looks similar to the following:
 ```
 abcd1234-abcd-1234-abcd-1234abcd1234
 ```
 The Snyk Integration ID is used in the `--from-literal=integrationId=` parameter in the next step.
 
-3. Finally, create the secret in k8s by running the following command:
+3. Finally, create the secret in Kubernetes by running the following command:
 ```shell
 kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234
 ```
@@ -50,7 +51,7 @@ Note that the secret _must_ be namespaced, and the namespace (which we configure
 
 
 The `kubernetes-monitor` can run in one of two modes: constrained to a single namespace, or with access to the whole cluster.
-In other words, the monitor can scan containers in the namespace, or it can scan all containers in your cluster.
+In other words, the monitor can scan containers in one particular namespace, or it can scan all containers in your cluster.
 The choice of which deployment to use depends on the permissions you have on your cluster.
 
 For _cluster_-scoped deployment you can create the necessary `ServiceAccount`, `ClusterRole`, and `ClusterRoleBinding` required for the monitor's deployment.
@@ -75,11 +76,9 @@ Finally, to launch the Snyk monitor in your cluster, run the following:
 kubectl apply -f snyk-monitor-deployment.yaml
 ```
 
-## Using a local Docker image for testing ##
+## Enabling static analysis ##
 
-If you would like to use a locally-built image, then modify the following lines in `snyk-monitor-deployment.yaml` like this:
-```yaml
-      containers:
-      - image: <your-local-image-name:tag>
-        imagePullPolicy: Never
-```
+Static analysis works with any container runtime and does not rely on Docker to scan the images in your cluster.
+It works by pulling the image, unpacking it and inspecting the files directly. For this process it needs temporary storage, so the Snyk monitor uses 20 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
+
+To enable static analysis, modify one of the permissions files (`snyk-monitor-namespaced-permissions.yaml` for the Namespaced deployment or `snyk-monitor-cluster-permissions.yaml` for the Cluster-scoped deployment) and set the string value of `staticAnalysis` to `"true"`.

snyk-monitor/README.md

@@ -1,11 +1,12 @@
 # snyk/kubernetes-monitor-chart #
 
 ## Summary ##
-A Helm chart for the Snyk Monitor
+A Helm chart for the Snyk monitor
 
 ## Prerequisites ##
 
-*Note that at present the monitor works only if using Docker as the container runtime.*
+*Note that by default the monitor uses Docker to scan your cluster and requires Docker to be your container runtime.*
+*Alternatively, you can enable static analysis, which removes the reliance on Docker completely and works with any container runtime.*
 
 The Snyk monitor (`kubernetes-monitor`) requires some minimal configuration items in order to work correctly.
 
@@ -19,7 +20,7 @@ Notice our namespace is called _snyk-monitor_ and it is used for the following c
 
 The Snyk monitor relies on using your Snyk Integration ID, and using a `dockercfg` file. The `dockercfg` file is necessary to allow the monitor to look up images in private registries. Usually a copy of the `dockercfg` resides in `$HOME/.docker/config.json`.
 
-Both of these items must be provided by a k8s secret. The secret must be called _snyk-monitor_. The steps to create the secret are as such:
+Both of these items must be provided by a Kubernetes secret. The secret must be called _snyk-monitor_. The steps to create the secret are as such:
 
 1. Create a file named `dockercfg.json`. Store your `dockercfg` in there; it should look like this:
 
@@ -40,7 +41,7 @@ abcd1234-abcd-1234-abcd-1234abcd1234
 ```
 The Snyk Integration ID is used in the `--from-literal=integrationId=` parameter in the next step.
 
-3. Finally, create the secret in k8s by running the following command:
+3. Finally, create the secret in Kubernetes by running the following command:
 ```shell
 kubectl create secret generic snyk-monitor -n snyk-monitor --from-file=./dockercfg.json --from-literal=integrationId=abcd1234-abcd-1234-abcd-1234abcd1234
 ```
@@ -69,3 +70,14 @@ For Helm 3, you may run the following:
 ```shell
 helm upgrade --generate-name --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-monitor --set clusterName="Production cluster"
 ```
+
+## Enabling static analysis ##
+
+Static analysis works with any container runtime and does not rely on Docker to scan the images in your cluster.
+It works by pulling the image, unpacking it and inspecting the files directly. For this process it needs temporary storage, so the Snyk monitor uses 20 GB of storage in the form of [emptyDir](https://kubernetes.io/docs/concepts/storage/volumes/#emptydir).
+The Docker socket is _not_ mounted when static analysis is enabled.
+
+To enable static analysis, set the `featureFlags.staticAnalysis` value to `true`:
+```shell
+helm upgrade --install snyk-monitor snyk-charts/snyk-monitor --namespace snyk-monitor --set clusterName="Production cluster" --set featureFlags.staticAnalysis=true
+```