Private image scanning
Set up access to private or managed container image registries
By default, the Kvisor agent has the ability to scan both private and public images that are running on nodes managed by the CAST AI cluster controller. To enable scanning on other nodes, you must enable the scanning of images that are stored in your registry to have a complete overview of image security.
Kvisor can scan private images from any private registry using image pull secrets and cloud providers managed registries for EKS, GKE, AKS.
Private registries with image pull secret
- Create an image pull secret in the
castai-agent
namespace:kubectl -n castai-agent create secret docker-registry [secret-name] \ --docker-server=[registry-server] \ --docker-username=[registry-username] \ --docker-password=[registry-password]
[registry-server]
can be in one of the 3 formats:
-
{registry}
, for exampledocker.io
-
{registry}/{namespace}
, for exampledocker.io/castai
-
{registry}/{namespace}/{repository}
, for exampledocker.io/castai/agent
Here's an example for gitlab private images:
kubectl -n castai-agent create secret docker-registry [secret-name] \
--docker-server=https://registry.gitlab.com \
--docker-username=registry-user \
--docker-password=registry-password
- Configure kvisor to scan private images using the image pull secret:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-private-registry-pull-secret=[secret-name]
Amazon Elastic Container Registry (Amazon ECR)
Amazon ECR integrates with EKS Kubernetes clusters and provides secure access to images without the need to configure pull secrets.
First you need to enable OIDC provider for your EKS cluster.
eksctl utils associate-iam-oidc-provider \
--cluster <cluster_name> \
--approve
Next, create service account
kubectl create serviceaccount castai-kvisor-ecr -n castai-agent
Now you can attach IAM policy to allows kvisor image scan jobs access private images in readonly mode
eksctl create iamserviceaccount \
--name castai-kvisor-ecr \
--namespace castai-agent \
--cluster <cluster_name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
--approve \
--override-existing-serviceaccounts
Finally, we need to tell kvisor to use this service account for image scanning.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-scan-service-account=castai-kvisor-ecr
Updated about 1 month ago