Chart: Registry Scanner
Overview
Sysdig Registry Scanner scans your images registry on a Kubernetes cluster . This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster and allows you to integrate Sysdig Secure with different image registries.
Registry scanning provides an extra layer of defense between pipeline and runtime by checking:
- Newly discovered vulnerabilities in the software before being deployed.
- Third-party software that might have been installed without going through pipeline scanning.
Follow the instructions in Install Registry Scanner to deploy the Helm chart. They include specific use cases for:
- JFrog Artifactory
- AWS ECR
- Harbor
- Quay IO
- IBM ICR
- Azure ACR
- Google GAR
- Google GCR
- OpenShift Internal Registry
Once installed, you can view the scan results in the Vulnerabilities UI of Sysdig Secure.
Prerequisites
- Helm 3.6
- Kubernetes v1.16+
- Unique name to identify your Kubernetes cluster
- Sysdig Secure API Token
Configuration Parameters
The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:
| Parameter | Description | Default |
|---|---|---|
| cronjob.schedule | The cronjob expression for registry scan scheduling. See https://crontab.guru/ for help. | "0 6 * * 6" |
| cronjob.failedJobsHistoryLimit | The number of failed job history to keep on the cluster. | 5 |
| cronjob.successfulJobsHistoryLimit | The number of successful job history to keep on the cluster. | 2 |
| cronjob.restartPolicy | The restart policy for a failed registry scan execution. | Never |
| cronjob.timeZone | Timezone settings for the cronjob. Value default will be null to guarantee we only set the timezone if the user provides it. | "" |
| reportToPersistentVolumeClaim | Specify a volume claim to write the final JSON report there instead of standard output. | "" |
| config.logging | The log level. Use one of the following: trace, debug, info, error. | "info" |
| config.registryURL | The URL of the registry to scan. | "" |
| config.registryApiUrl | The API URL of the registry to scan. This is required if your registry type is Artifactory. | "" |
| config.registryUser | The username for registry authentication. | "" |
| config.registryPassword | The password for registry authentication. | "" |
| config.registryType | Mandatory. The registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, gar, gcr, nexus, ocp and dockerv2. |
"" |
| config.registryAccountId | The account ID. Applicable only for ICR registry type. | "" |
| config.icrIamApi | The ICR IAM API. Applicable only for ICR registry type. | "" |
| config.icrIamApiSkipTLS | Ignore TLS certificate for IAM API. Applicable only for ICR registry type. | false |
| config.aws.accessKeyId | The AWS credentials: AccessKeyId. |
"" |
| config.aws.secretAccessKey | The AWS credentials: SecretAccessKey. |
"" |
| config.aws.region | For single account. It is the region where the registry is located. | "us-east-1" |
| config.aws.managementAccountRoleARN | The management role ARN to be used to impersonate the member accounts. | |
| config.aws.memberAccountsRoleName | The member account role name (available in all member accounts) to dig into their registries. | "OrganizationAccountAccessRole" |
| config.aws.allowListMemberAccountIDs | The organization account IDs in which the registry scan is performed. If not configured, the scan will be performed in all the member accounts of the organization. | [] |
| config.aws.allowListRegions | For organizational accounts. It is the AWS regions where the registries are located. If not configured, the scan will be performed in all available regions. | [] |
| config.registrySkipTLS | Ignore registry TLS certificate errors (self-signed, etc.). | false |
| config.registryMaxRetries | Max number of retries to call the registtry APIs in case of failure or 409. | 10 |
| config.registryMaxRetryWait | Max wait time between retries. | 10m |
| config.registryMinRetryWait | Min wait time between retries. | 5s |
| config.secureBaseURL | required The Sysdig Secure Base URL. |
https://secure.sysdig.com |
| config.secureAPIToken | required The API Token to access Sysdig Secure. |
"" |
| config.secureOnPrem | Specify that Sysdig Secure installation is on-prem. | false |
| config.secureSkipTLS | Ignore Sysdig Secure TLS certificate errors. | false |
| config.maxWorkers | The maximum number of parallel job scan workers to spawn. | 5 |
| config.filter.include | The list of regular expressions. Images matching any of these expressions are always included when scanning. |
[] |
| config.filter.exclude | The list of regular expressions. Images matching any of these expressions are excluded when scanning. |
[] |
| config.filter.maxAgeDays | Based on its creation date, excludes images older than the specified number of days. The maximum is 365 days. |
90 |
| config.filter.maxTagsPerRepository | Based on its creation date, newer ones take precedence, the maximum number of tags to scan per repository. The maximum is 50. |
5 |
| config.filter.maxRepositoriesPerRegistry | The number of repositories to scan per registry. The maximum is 10000. |
500 |
| config.scan.inlineScanImage | Override the default image for the inline scanner job. | "" |
| config.scan.securityContext | The security context for the Inline Scanner container. | {} |
| config.scan.orchestrator.ttlSecondsAfterFinished | The Time to Live (ttl) value for the orchestrator job. Provide an empty value to accept the default. | 3600 |
| config.scan.jobs.ttlSecondsAfterFinished | The ttl value for scanner worker jobs. | 600 |
| config.scan.jobs.resources.requests.memory | The memory request for the scanner job. | 500Mi |
| config.scan.jobs.resources.requests.cpu | The CPU request for the scanner job. | 500m |
| config.scan.jobs.resources.limits.memory | The memory limit for the scanner job. | 2Gi |
| config.scan.jobs.temporaryVolumeSizeLimit | The size limit for the emptyDir volume used by the scanner job. This volume is used to store both the vulnerability database and the image to scan. |
2Gi |
| config.scan.jobs.nodeSelector | NodeSelector for child jobs. If only .Values.nodeSelector is specified, child jobs will inherit the same nodeSelector as the main pod | {} |
| config.scan.disablePlatformScanning | Force the scan to happen on the client component rather than relying on backend scanning | false |
| config.parallelGoRoutines | Number of goroutines running in parallel in metadata phase for ECR Org setup. | 100 |
| ssl.ca.certs | For outbound connections. List of PEM-encoded x509 certificate authority. |
[] |
| customLabels | The additional labels to add to CronJob and Scanning Jobs. The custom labels to be added to kubernetes manifests of all the resources created. | {} |
| proxy.httpProxy | The URL of the proxy for HTTP connections. Leave it empty if not using proxy, which sets the http_proxy environment variable. |
|
| proxy.httpsProxy | The URL of the proxy for HTTPS connections. Leave it empty if not using proxy, which sets the https_proxy environment variable. |
|
| proxy.noProxy | The comma-separated list of domain extensions proxy should not be used for. Include the internal IP of the Kube API server in noProxy configuration. You probably need to add your registry if it is inside the cluster. | |
| image.registry | The Sysdig Registry Scanner image registry. | quay.io |
| image.repository | The Sysdig Registry Scanner image repository. | sysdig/registry-scanner |
| image.tag | The Registry Scanner image tag. If empty, default to appVersion in Chart.yaml. |
|
| image.pullPolicy | The PullPolicy for Registry Scanner image. | Always |
| serviceAccount.create | Specifies whether a service account should be created. | true |
| serviceAccount.annotations | The additional annotations to add to the service account. | {} |
| serviceAccount.name | The name of the service account to use. If the value is not set and create is set to true, a name is generated using the fullname template. |
"" |
| imagePullSecrets | The image pull secrets. | [] |
| nameOverride | The chart name override | "" |
| fullnameOverride | The chart fullname override | "" |
| existingSecretName | Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries. If you are using ecr as registryType, ensure that you add ‘accessKeyId’, ‘secretAccessKey’, and ‘region’ entries. |
"" |
| podAnnotations | Pod annotations for the Registry scanner. | {} |
| securityContext | Security context for Registry Scanner container. | {} |
| resources | Resource limits for the main registry scanner orchestrator. For scanner job resources, use config.scan.jobs.resources. |
{} |
| scanOnStart.enabled | Specify whether to start the post-install scanner job, in addition to the cronjob. Beware that concurrencyPolicy does not work on jobs (only cronjobs). Always check for active scanning and if so, remove it. |
false |
| scanOnStart.jobName | The name of the job created for the post-install scanner job | "registry-scanner-start-test" |
| scanOnStart.asPostInstallHook | Specify whether to launch the job as a post-install helm hook. Used for testing purpose. |
false |
| extraEnvVars | The additional environment variables to be set. | [] |
| memProfileToPersistentVolumeClaim | Write memory profile dumps to Persistent Volume Claim (provide PVC name) | "" |
On-Prem Deployment
If you are using a Sysdig on-prem version greater than 6.2, you need to configure legacy VM engine while setting up registry scanner.
Use the following command to deploy:
helm upgrade --install registry-scanner \
--namespace sysdig-agent \
--create-namespace \
--version=1.5.1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.secureSkipTLS=true \
--set config.registryURL=<REGISTRY_URL> \
--set config.registryUser=admin \
--set config.registryPassword=<REGISTRY_PASSWORD> \
sysdig/registry-scanner
Use config.secureSkipTLS=true if you are using self-signed certificates.