Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning Limitation with private registries #618

Open
jseiser opened this issue Feb 2, 2024 · 2 comments
Open

Scanning Limitation with private registries #618

jseiser opened this issue Feb 2, 2024 · 2 comments
Labels
stale

Comments

@jseiser
Copy link

jseiser commented Feb 2, 2024

Is your feature request related to a problem? Please describe.

We are trying to run kubeclarity in a very locked down network environment. All of our image pulls except ones coming from AWS Private registries are force to run through a harbor image proxy, that requires authentication. This image rewrite, and the attaching of the imagePullSecret is done automatically by kyverno for all namespaces except kube-system and kyverno. This means whether I run the scan in the kubeclarity namespace, a custom namespace or let the scan happen in the namespace of the pod it wants to scan, there ends up being situations where kubeclarity does not use the required imagepullsecret

Describe the solution you'd like
It would be preferable to tell kubeclarity to scan in either kubeclarity namespace, or a custom namespace, and to require all images to use an imagepullsecret that would already exist in that namespace

Describe alternatives you've considered
We currently do not scan images in kube-system, or in kyverno's namespaces.

Additional context
This is an EKS environment, in a special part of AWS Govcloud, with no outbound internet access except for AWS endpoints, and a few whitelisted proxies like harbor.
@uselessidbr
Copy link

uselessidbr commented Feb 5, 2024
edited

Well, here is a workaround. Definetly not the most elegant way but it does the trick.

Just get a docker config, like this:

{
        "auths": {
                "default-route-openshift-image-registry.apps.xyz.com": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz"
                },
                "docker-registry-default.xyz.com": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzzZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz" 

                },
                "https://index.docker.io/v1/": {
                        "auth": "ZZZzZZZZZZZZzzzzZZzzzzzzzzzzzzZZZZZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzzz"
                }
        },
        "HttpHeaders": {
                "User-Agent": "Docker-Client/19.03.5 (linux)"
        }
}

And encode it with base64:

cat docker_cfg.txt | base64 -w0 ewoJImF1dGhzIjogewoJCSJkZWZhdWx0LXJvdXRlLW9wZW5zaGlmdC1pbWFnZS1yZWdpc3RyeS5hcHBzLnh5ei5jb20iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6IgoJCX0sCgkJImRvY2tlci1yZWdpc3RyeS1kZWZhdWx0Lnh5ei5jb20iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6WlpaelpaWlpaWlpaenp6elpaenp6enp6enp6enp6WlpaWlpaWlpaWlpaWlpaWlpaenp6enp6enp6enp6enp6enp6enoiIAoKCQl9LAoJCSJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CgkJCSJhdXRoIjogIlpaWnpaWlpaWlpaWnp6enpaWnp6enp6enp6enp6elpaWlpaWlpaWlpaWlpaWlpaWnp6enp6enp6enp6enp6enp6enp6IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy41IChsaW51eCkiCgl9Cn0K

After this, include this in the ConfigMap “kubeclarity-kubeclarity-scanner-template” within “containers: - name:
vulnerability-scanner”:

lifecycle: postStart: exec: command: - /bin/sh - -c - export IMAGE_PULL_SECRET_PATH=/tmp/docker/;mkdir /tmp/docker/;touch /tmp/docker/docker.cfg;echo <base64 encoded docker config file> | base64 -d > /tmp/docker/docker.cfg

It should look like this:

containers: - name: vulnerability-scanner image: ghcr.io/openclarity/kubeclarity-runtime-k8s-scanner:v2.23.1 imagePullPolicy: Always volumeMounts: - mountPath: /tmp name: tmp-volume args: - scan - --log-level - warning lifecycle: postStart: exec: command: - /bin/sh - -c - export IMAGE_PULL_SECRET_PATH=/tmp/docker/;mkdir /tmp/docker/;touch /tmp/docker/docker.cfg;echo <base64 encoded docker config file> | base64 -d > /tmp/docker/docker.cfg

@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 7, 2024

Thank you for your contribution! This issue has been automatically marked as stale because it has no recent activity in the last 60 days. It will be closed in 14 days, if no further activity occurs. If this issue is still relevant, please leave a comment to let us know, and the stale label will be automatically removed.

@github-actions github-actions bot added the stale label Apr 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
OpenClarity
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jseiser @uselessidbr