Image registry vulnerability scanning

Kubescape helm version > 1.7.14

Use the ARMO Platform "Add Registry" wizard under the Registry Scanning section

Kubescape helm version < 1.7.14 Follow the steps below

Kubescape Helm chart has the ability to shift left and scan your images at rest before they are even running in any cluster.

Prerequisites

Make sure you have a Kubescape account, if you don't have one sign-up at Kubescape Cloud Platform.
Kubescape operator namespace installed and up-to-date in your cluster (See Installation of Kubescape in cluster )
Kubectl permissions (to create ConfigMaps, Secrets, etc. in kubescape namespace)

Registry vulnerability scanning operation process

Kubescape is using your own cluster registry scanning to keep your registry credentials safe.
To enable registry scanning in your cluster, you need to set a secret named "kubescape-registry-scan" in the kubescape namespace like in the following example.

kind: Secret
apiVersion: v1
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
type: Opaque
stringData:
  registriesAuth: |
    [
      {
        "registry": "quay.io/kubescape",        
        "auth_method": "public",
        "kind": "quay.io"
      }
    ]

👍
Have you set the secret?
Go to Kubescape Cloud Platform and run the scan from the UI.

Each entry in the secret should contain the following fields:

registry (registry name without the http/https prefix) mandatory
auth_method
- Possible values for auth_method:
  - public
  - ips (use the cloud provider IAM roles, see below)
  - accesstoken (default value)
    - accesstoken method requires specifying the "username" and "password" fields
username - mandatory for accesstoken auth_method
password - mandatory for accesstoken auth_method
http - true / false. Determines whether to access the registry insecurely with no HTTPS (default to false)
skipTLSVerify - true / false. Determines whether to allow unknown root CA of the registry's HTTPS certificate (default to false)
kind - optional for most of registries
- Possible values for kind:
  - empty string (default - fits most of the registries, refer to known limitations section below)
  - harbor mandatory
  - quay.io

kind: Secret
apiVersion: v1
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
type: Opaque
stringData:
  registriesAuth: |
    [     
      {
        "registry": "gcr.io/yollo-pop-310110",
        "username": "oauth2accesstoken",
        "password": "lejRjNXd1YmhCVkJ2UQ0174",
        "auth_method": "accesstoken"
      },
      {
        "registry": "quay.io/kubescape",        
        "auth_method": "public"
      }
    ]

In addition, you may add a ConfigMap (optional) to tell the Kubescape which repositories to include/exclude from the scan (one cannot have both contain and exclude for the same registry) and how many tags to scan for each of the repositories.

If no ConfigMap is provided, or the ConfigMap doesn't include the desired field, the default values will apply.
By default, Kubescape will scan the last tag for each and every repository in the registry.

apiVersion: v1
kind: ConfigMap
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
data:   
  registries: |-
    [
      {
        "registry": "quay.io/kubescape",
        "depth": 4
      }
    ]

apiVersion: v1
kind: ConfigMap
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
data:   
  registries: |-
        [
        {
            "registry": "gcr.io/magnific-harry-356110",
            "depth": 1,
            "include": [
                "kubevuln"
            ]
        },
        {
            "registry": "gcr.io/nonmagnific-nonharry",
            "depth": 3,
            "exclude": [
                "kubevuln"
            ]
        }
    ]

Tested on

Kubescape registry scan tested on the following registries:

Harbor
Private GCR
ECR
Official docker registry image
Public quay.io registries
Private quay.io registries owned by the user who owned the username/password of the access token auth_method

Walkthrough: How to grant permissions for my ECR/GCR Image registry?

In the above example, we are using the regular docker registry username/password authorization method.

Kubescape supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:

🦉

Setup AWS IAM authorization of in-cluster installation of Kubescape in EKS

Open Recipe

🦉

Setup GCP IAM authorization for in-cluster installation of Kubescape in GKE

Open Recipe

Known limitations

Kubescape will scan up to 500 image tags for a single registry.
The depth is calculated by lexical order (last X tags. "latest" is always considered latest if exists).
Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.

Updated 7 months ago