Private image scanning

Set up access to private or managed container image registries

Suggest Edits

By default, the Kvisor agent has the ability to scan both private and public images that are running on nodes managed by the CAST AI cluster controller. To enable scanning on other nodes, you must enable the scanning of images that are stored in your registry to have a complete overview of image security.

Kvisor can scan private images from any private registry using image pull secrets and cloud providers managed registries for EKS, GKE, AKS.

Private registries with image pull secret

  1. Create an image pull secret in thecastai-agent namespace: 
    kubectl -n castai-agent create secret docker-registry [secret-name] \
  --docker-server=[registry-server] \
  --docker-username=[registry-username] \
  --docker-password=[registry-password]

[registry-server] can be in one of the 3 formats:

  • {registry}, for example docker.io

  • {registry}/{namespace}, for example docker.io/castai

  • {registry}/{namespace}/{repository}, for example docker.io/castai/agent

    Here's an example for gitlab private images:

kubectl -n castai-agent create secret docker-registry [secret-name] \
  --docker-server=https://registry.gitlab.com \
  --docker-username=registry-user \
  --docker-password=registry-password
  1. Configure kvisor to scan private images using the image pull secret:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set controller.extraArgs.image-private-registry-pull-secret=[secret-name]

Amazon Elastic Container Registry (Amazon ECR)

Amazon ECR integrates with EKS Kubernetes clusters and provides secure access to images without the need to configure pull secrets.

First you need to enable OIDC provider for your EKS cluster.

eksctl utils associate-iam-oidc-provider \
  --cluster <cluster_name> \
  --approve

Next, create service account

kubectl create serviceaccount castai-kvisor-ecr -n castai-agent

Now you can attach IAM policy to allows kvisor image scan jobs access private images in readonly mode

eksctl create iamserviceaccount \
  --name castai-kvisor-ecr \
  --namespace castai-agent \
  --cluster <cluster_name> \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts

Finally, we need to tell kvisor to use this service account for image scanning.

helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set controller.extraArgs.image-scan-service-account=castai-kvisor-ecr

Updated about 1 month ago