Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Scanning Limitation with private registries #661

Open
jseiser opened this issue Feb 2, 2024 · 3 comments
Open

Scanning Limitation with private registries #661

jseiser opened this issue Feb 2, 2024 · 3 comments

Comments

@jseiser
Copy link

jseiser commented Feb 2, 2024

Is your feature request related to a problem? Please describe.

We are trying to run kubeclarity in a very locked down network environment. All of our image pulls except ones coming from AWS Private registries are force to run through a harbor image proxy, that requires authentication. This image rewrite, and the attaching of the imagePullSecret is done automatically by kyverno for all namespaces except kube-system and kyverno. This means whether I run the scan in the kubeclarity namespace, a custom namespace or let the scan happen in the namespace of the pod it wants to scan, there ends up being situations where kubeclarity does not use the required imagepullsecret

Describe the solution you'd like
It would be preferable to tell kubeclarity to scan in either kubeclarity namespace, or a custom namespace, and to require all images to use an imagepullsecret that would already exist in that namespace

Describe alternatives you've considered
We currently do not scan images in kube-system, or in kyverno's namespaces.

Additional context
This is an EKS environment, in a special part of AWS Govcloud, with no outbound internet access except for AWS endpoints, and a few whitelisted proxies like harbor.
@uselessidbr
Copy link

uselessidbr commented Feb 5, 2024
edited
Loading

Well, here is a workaround. Definetly not the most elegant way but it does the trick.

Just get a docker config, like this:

{
        "auths": {
                "default-route-openshift-image-registry.apps.xyz.com": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz"
                },
                "docker-registry-default.xyz.com": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz" 

                },
                "https://index.docker.io/v1/": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.5 (linux)"
        }
}

And encode it with base64:

cat docker_cfg.txt | base64 -w0 ewoJImF1dGhzIjogewoJCSJkZWZhdWx0LXJvdXRlLW9wZW5zaGlmdC1pbWFnZS1yZWdpc3RyeS5hcHBzLnh5ei5jb20iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6IgoJCX0sCgkJImRvY2tlci1yZWdpc3RyeS1kZWZhdWx0Lnh5ei5jb20iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6WlpaelpaWlpaWlpaenp6elpaenp6enp6enp6enp6WlpaWlpaWlpaWlpaWlpaWlpaenp6enp6enp6enp6enp6enp6enoiIAoKCQl9LAoJCSJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy41IChsaW51eCkiCgl9Cn0K

After this, include this in the ConfigMap “kubeclarity-kubeclarity-scanner-template” within “containers: - name:
vulnerability-scanner”:

lifecycle: postStart: exec: command: - /bin/sh - -c - export IMAGE_PULL_SECRET_PATH=/tmp/docker/;mkdir /tmp/docker/;touch /tmp/docker/docker.cfg;echo <base64 encoded docker config file> | base64 -d > /tmp/docker/docker.cfg

It should look like this:

containers: - name: vulnerability-scanner image: ghcr.io/openclarity/kubeclarity-runtime-k8s-scanner:v2.23.1 imagePullPolicy: Always volumeMounts: - mountPath: /tmp name: tmp-volume args: - scan - --log-level - warning lifecycle: postStart: exec: command: - /bin/sh - -c - export IMAGE_PULL_SECRET_PATH=/tmp/docker/;mkdir /tmp/docker/;touch /tmp/docker/docker.cfg;echo <base64 encoded docker config file> | base64 -d > /tmp/docker/docker.cfg

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 7, 2024

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@ramizpolic ramizpolic transferred this issue from openclarity/openclarity Aug 8, 2024
@ramizpolic ramizpolic transferred this issue from another repository Aug 10, 2024
@brtj
Copy link

brtj commented Aug 26, 2024

@uselessidbr do you have any idea how to achieve that if Im installing app via Helm chart? I dont know how to authenticate to ACR (Azure). I have dockerregistry secret on namespace but still Kubeclarity cant pull from private repo

@ramizpolic ramizpolic removed this from OpenClarity Aug 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jseiser @brtj @uselessidbr