Enable/Disable Vulnerability Scanning in Azure Operator Nexus Cluster

This guide provides you with instructions on how to enable or disable Vulnerability Scanning in an Azure Operator Nexus cluster.

Before you begin

• Install the latest version of the appropriate CLI extensions.

Setting variables

To help with configuring Vulnerability Scanning, define these environment variables used by the various commands throughout this guide.

Note

These environment variable values do not reflect a real deployment and users MUST change them to match their environments.

# SUBSCRIPTION_ID: Subscription of your cluster
export SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# RESOURCE_GROUP: Resource group of your cluster
export RESOURCE_GROUP="contoso-cluster-rg"
# MANAGED_RESOURCE_GROUP: Managed resource group managed by your cluster
export MANAGED_RESOURCE_GROUP="contoso-cluster-managed-rg"
# CLUSTER_NAME: Name of your cluster
export CLUSTER_NAME="contoso-cluster"

Defaults for Vulnerability Scanning

The Vulnerability Scanning is Enabled by default.

Configuring Vulnerability Scanning

The az networkcloud cluster update command allows you to update of the settings of Vulnerability Scanning by using the argument --vulnerability-scanning-settings container-scan="<setting>".

The following command configures the setting for your Cluster.

az networkcloud cluster update \
--subscription ${SUBSCRIPTION_ID} \
--resource-group ${RESOURCE_GROUP} \
--cluster-name ${CLUSTER_NAME} \
--vulnerability-scanning-settings container-scan="<setting>"

Allowed values for <setting>: Disabled, Enabled.

• Disabled: Vulnerability Scanning is turned off on the Cluster and no scans are performed.
• Enabled: Vulnerability Scanning is enabled on the Cluster and scans are performed.

You can confirm that setting was updated by inspecting the output for the following JSON snippet from the Cluster resource view:

  "vulnerabilityScanningSettings": {
      "containerScan": "<setting>"
  }