Image registry vulnerability scanning

Kubescape helm version > 1.7.14

Use the ARMO Platform "Add Registry" wizard under the Registry Scanning section

Kubescape helm version < 1.7.14 Follow the steps below

Kubescape Helm chart has the ability to shift left and scan your images at rest before they are even running in any cluster.

Prerequisites

Registry vulnerability scanning operation process

Kubescape is using your own cluster registry scanning to keep your registry credentials safe.
To enable registry scanning in your cluster, you need to set a secret named "kubescape-registry-scan" in the kubescape namespace like in the following example.

kind: Secret
apiVersion: v1
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
type: Opaque
stringData:
  registriesAuth: |
    [
      {
        "registry": "quay.io/kubescape",        
        "auth_method": "public",
        "kind": "quay.io"
      }
    ]

👍

Have you set the secret?

Go to Kubescape Cloud Platform and run the scan from the UI.

Each entry in the secret should contain the following fields:

  • registry (registry name without the http/https prefix) mandatory
  • auth_method
    • Possible values for auth_method:
      • public
      • ips (use the cloud provider IAM roles, see below)
      • accesstoken (default value)
        • accesstoken method requires specifying the "username" and "password" fields
  • username - mandatory for accesstoken auth_method
  • password - mandatory for accesstoken auth_method
  • http - true / false. Determines whether to access the registry insecurely with no HTTPS (default to false)
  • skipTLSVerify - true / false. Determines whether to allow unknown root CA of the registry's HTTPS certificate (default to false)
  • kind - optional for most of registries
    • Possible values for kind:
kind: Secret
apiVersion: v1
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
type: Opaque
stringData:
  registriesAuth: |
    [     
      {
        "registry": "gcr.io/yollo-pop-310110",
        "username": "oauth2accesstoken",
        "password": "lejRjNXd1YmhCVkJ2UQ0174",
        "auth_method": "accesstoken"
      },
      {
        "registry": "quay.io/kubescape",        
        "auth_method": "public"
      }
    ]

In addition, you may add a ConfigMap (optional) to tell the Kubescape which repositories to include/exclude from the scan (one cannot have both contain and exclude for the same registry) and how many tags to scan for each of the repositories.

If no ConfigMap is provided, or the ConfigMap doesn't include the desired field, the default values will apply.
By default, Kubescape will scan the last tag for each and every repository in the registry.

apiVersion: v1
kind: ConfigMap
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
data:   
  registries: |-
    [
      {
        "registry": "quay.io/kubescape",
        "depth": 4
      }
    ]
apiVersion: v1
kind: ConfigMap
metadata:
  name: kubescape-registry-scan
  namespace: kubescape
data:   
  registries: |-
        [
        {
            "registry": "gcr.io/magnific-harry-356110",
            "depth": 1,
            "include": [
                "kubevuln"
            ]
        },
        {
            "registry": "gcr.io/nonmagnific-nonharry",
            "depth": 3,
            "exclude": [
                "kubevuln"
            ]
        }
    ]

Tested on

Kubescape registry scan tested on the following registries:

Walkthrough: How to grant permissions for my ECR/GCR Image registry?

In the above example, we are using the regular docker registry username/password authorization method.

Kubescape supports "ips" authentication as well, enabling cloud provider native authentication.
In order to set cloud provider authentication use the following script examples:

Known limitations

  • Kubescape will scan up to 500 image tags for a single registry.
  • The depth is calculated by lexical order (last X tags. "latest" is always considered latest if exists).
  • Only registries that support /v2/_catalog and /v2/<name>/tags/list official APIs with regular docker credentials are supported unless explicitly mentioned in "kind" field in the secret.