Private images scanning

Setup private or managed container images registries access

By default, the Kvisor agent has the ability to scan both private and public images that are running on nodes managed by the CAST AI cluster controller. To enable scanning on other nodes, you must enable the scanning of images that are stored in your registry to have a complete overview of image security.

Kvisor can scan private images from any private registry using image pull secrets and cloud providers managed registries for EKS, GKE, AKS.

Private registries with image pull secret

  1. Create an image pull secret in thecastai-agent namespace:
    kubectl -n castai-agent create secret docker-registry [secret-name] \
      --docker-server=[registry-server] \
      --docker-username=[registry-username] \
      --docker-password=[registry-password]
    

[registry-server] can be in one of the 3 formats:

  • {registry}, for example docker.io

  • {registry}/{namespace}, for example docker.io/castai

  • {registry}/{namespace}/{repository}, for example docker.io/castai/agent

    Here's an example for gitlab private images:

kubectl -n castai-agent create secret docker-registry [secret-name] \
  --docker-server=https://registry.gitlab.com \
  --docker-username=registry-user \
  --docker-password=registry-password
  1. Configure kvisor to scan private images using the image pull secret:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
  --reuse-values --set imageScanSecret=[secret-name]

Amazon Elastic Container Registry (Amazon ECR)

Amazon ECR integrates with EKS Kubernetes clusters and provides secure access to images without the need to configure pull secrets.

First you need to enable OIDC provider for your EKS cluster.

eksctl utils associate-iam-oidc-provider \
  --cluster <cluster_name> \
  --approve

Now you can attach IAM policy to allows kvisor image scan jobs access private images in readonly mode

eksctl create iamserviceaccount \
  --name castai-kvisor-image-scan \
  --namespace castai-agent \
  --cluster <cluster_name> \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts

Restart kvisor deployment

kubectl rollout restart deployment castai-kvisor -n castai-agent