Private image scanning
Set up access to private or managed container image registries
By default, the Kvisor agent has the ability to scan both private and public images that are running on nodes managed by the CAST AI cluster controller. To enable scanning on other nodes, you must enable the scanning of images that are stored in your registry to have a complete overview of image security.
Kvisor can scan private images from any private registry using image pull secrets and cloud providers managed registries for EKS, GKE, AKS.
Private registries with image pull secret
- Create an image pull secret in the
castai-agent
namespace:kubectl -n castai-agent create secret docker-registry [secret-name] \ --docker-server=[registry-server] \ --docker-username=[registry-username] \ --docker-password=[registry-password]
[registry-server]
can be in one of the 3 formats:
-
{registry}
, for exampledocker.io
-
{registry}/{namespace}
, for exampledocker.io/castai
-
{registry}/{namespace}/{repository}
, for exampledocker.io/castai/agent
Here's an example for gitlab private images:
kubectl -n castai-agent create secret docker-registry [secret-name] \
--docker-server=https://registry.gitlab.com \
--docker-username=registry-user \
--docker-password=registry-password
- Configure kvisor to scan private images using the image pull secret:
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-private-registry-pull-secret=[secret-name]
Amazon Elastic Container Registry (Amazon ECR)
Amazon ECR integrates with EKS Kubernetes clusters and provides secure access to images without the need to configure pull secrets.
First you need to enable OIDC provider for your EKS cluster.
eksctl utils associate-iam-oidc-provider \
--cluster <cluster_name> \
--approve
Next, create service account
kubectl create serviceaccount castai-kvisor-ecr -n castai-agent
Now you can attach IAM policy to allows kvisor image scan jobs access private images in readonly mode
eksctl create iamserviceaccount \
--name castai-kvisor-ecr \
--namespace castai-agent \
--cluster <cluster_name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
--approve \
--override-existing-serviceaccounts
Finally, we need to tell kvisor to use this service account for image scanning.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-scan-service-account=castai-kvisor-ecr
Microsoft Azure Container Registry (ACR)
Microsoft ACR integrates with AKS Kubernetes clusters and provides secure access to images without the need to configure pull secrets.
First you need to enable OIDC provider and Workload Identity for your AKS cluster.
az aks update -g <resource_group> -n <cluster_name> --enable-oidc-issuer --enable-workload-identity
Create a Managed Identity and get the ID.
az identity create --name <identity_name> --resource-group <resource_group> --location <location> --subscription <subscription>
export IDENTITY_CLIENT_ID="$(az identity show --resource-group <resource_group> --name <identity_name> --query 'clientId' -o tsv)"
Assign ACR Permissions to the newly-created Managed Identity.
ACR_ID=$(az acr show --name <acr_name> --resource-group <resource_group> --query "id" --output tsv)
az role assignment create --assignee $IDENTITY_CLIENT_ID --role "AcrPull" --scope $ACR_ID
Create a Kubernetes Service Account that is linked with this Identity.
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: "${IDENTITY_CLIENT_ID}"
name: castai-kvisor-aks
namespace: castai-agent
EOF
Retrieve the OIDC Issuer URL and use it to create a federated identity credential between the managed identity, the service account issuer, and the subject.
export AKS_OIDC_ISSUER="$(az aks show -n <cluster_name> -g <resource_group> --query "oidcIssuerProfile.issuerUrl" -o tsv)"
az identity federated-credential create --name <federated_identity_name> \
--identity-name <identity_name> \
--resource-group <resource_group> \
--issuer "${AKS_OIDC_ISSUER}" \
--subject system:serviceaccount:castai-agent:castai-kvisor-aks \
--audience api://AzureADTokenExchange
Finally, we need to tell kvisor to use this service account for image scanning.
helm upgrade castai-kvisor castai-helm/castai-kvisor -n castai-agent \
--reuse-values --set controller.extraArgs.image-scan-service-account=castai-kvisor-aks
Updated 2 days ago