Registry Scanner

Sysdig Registry Scanner scan your images registry on a Kubernetes Cluster.
This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster.



Introduction

This chart deploys the Sysdig Registry Scanner on a Kubernetes cluster using the Helm package manager.

Prerequisites

Installing the Chart

Add Sysdig Helm charts repository:

$ helm repo add sysdig https://charts.sysdig.com

Deploy the registry scanner specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm upgrade --install registry-scanner \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.registryURL=<REGISTRY_URL> \
    --set config.registryUser=admin \
    --set config.registryPassword=<REGISTRY_PASSWORD> \
    sysdig/registry-scanner

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install registry-scanner -f values.yaml sysdig/registry-scanner

By default the created CronJob, scheduled at the default time: 6:00 am. For testing purpose you can launch a manual job:

$ kubectl create job --from=cronjob/registry-scanner registry-scanner-manual

Uninstalling the Chart

To uninstall/delete

$ helm uninstall registry-scanner

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:

Parameter Description Default
cronjob.schedule Cronjob expression for registry scan scheduling (you can check https://crontab.guru/ for help) "0 6 * * 6"
cronjob.failedJobsHistoryLimit Number of failed job history to keep on the cluster. 5
cronjob.successfulJobsHistoryLimit Number of successful job history to keep on the cluster. 2
cronjob.restartPolicy Restart policy for a failed registry-scan execution. Never
reportToPersistentVolumeClaim Specify a volume claim to write the final JSON report there instead of standard output. ""
config.registryURL required
URL of the registry to scan.
https://my-docker-registry.com
config.registryApiUrl API URL of the registry to scan. This is required if your registry type is Artifactory. https://my-docker-registry.com/artifactory/api/docker/
config.registryUser Username for registry authentication. ""
config.registryPassword Password for registry authentication. ""
config.registryType Registry Type. Optional. dockerv2 (default if not specified), icr, artifactory, ecr. ""
config.registryAccountId AccountID - Only for ICR registry type. ""
config.icrIamApi ICR IAM API - Only for ICR registry type. ""
config.icrIamApiSkipTLS Ignore TLS certificate for IAM API - Only for ICR registry type. false
config.aws.accessKeyId AWS Credentials AccessKeyID. ""
config.aws.secretAccessKey AWS Credentials: SecretAccessKey. ""
config.aws.region AWS Region. ""
config.registrySkipTLS Ignore registry TLS certificate errors (self-signed, etc.). false
config.secureBaseURL required
Sysdig Secure Base URL
https://secure.sysdig.com
config.secureAPIToken required
API Token to access Sysdig Secure.
""
config.secureOnPrem Sysdig Secure is on-prem installation (vs SaaS). false
config.secureSkipTLS Ignore Sysdig Secure TLS certificate errors. false
config.maxWorkers Max number of parallel inline scanner workers to spawn in cluster. 1
config.filter.include List of regular expressions. Images matching any of these expressions are always included when scanning. []
config.filter.exclude List of regular expressions. Images matching any of these expressions are excluded when scanning. []
config.filter.maxAgeDays Exclude images with creation date older than specified number of days.
config.filter.maxTagsPerRepository Only scan a maximum number of tags per repository, excluding older images by creation date.
config.scan.inlineScanImage Override the default (if not specified) quay.io/sysdig/secure-inline-scan:2 image for the inline scanner job. ""
config.scan.securityContext Security context for Inline Scanner container. {}
config.scan.newVmScanner true/false whether to activate the beta image scanning (experimental and unsupported) false
ssl.ca.certs For outbound connections
List of PEM-encoded x509 certificate authority.
{}
customLabels Additional labels to add to CronJob and Scanning Jobs. Custom labels to be added to kubernetes manifests of all resources created. {}
proxy.httpProxy URL of the proxy for HTTP connections, or empty if not using proxy (sets the http_proxy environment variable).
proxy.httpsProxy URL of the proxy for HTTPS connections, or empty if not using proxy (sets the https_proxy environment variable).
proxy.noProxy Comma-separated list of domain extensions proxy should not be used for. Include in noProxy the internal IP of the kubeapi server, and you probably need to add your registry if it is inside the cluster
image.registry Sysdig Registry Scanner image registry. quay.io
image.repository Sysdig Registry Scanner image repository sysdig/registry-scanner
image.tag Registry Scanner image tag. If empty, default to appVersion in Chart.yaml.
image.pullPolicy PullPolicy for Registry Scanner image. Always
serviceAccount.create Specifies whether a service account should be created true
serviceAccount.annotations Extra annotations to add to the service account {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ""
imagePullSecrets The image pull secrets. []
nameOverride Chart name override ""
fullnameOverride Chart fullname override ""
existingSecretName Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries or if you are using ecr as registryType, add also ‘accessKeyId’, ‘secretAccessKey’ and ‘region’ entries. ""
podAnnotations Registry scanner pod annotations {}
podSecurityContext Security context for Registry Scanner pod {}
securityContext Security context for Registry Scanner container {}
resources Resource limits for registry scanner container. {}
nodeSelector Configure nodeSelector for scheduling the registry scanner pod. {}
tolerations Configure tolerations for scheduling the registry scanner pod. []
affinity Configure affinity for scheduling the registry scanner pod. {}

On-Prem deployment

Use the following command to deploy in an on-prem:

$ helm upgrade --install registry-scanner \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \
    --set config.registryURL=<REGISTRY_URL> \
    --set config.registryUser=admin \
    --set config.registryPassword=<REGISTRY_PASSWORD> \
    sysdig/registry-scanner

Use config.secureSkipTLS=true if you are using self signed certificates.

Supported vendor specific deployments

AWS ECR

$ helm upgrade --install registry-scanner \
    --set config.scan.newVmScanner=true \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.registryType=ecr \
    --set config.aws.accessKeyId=<AWS_ACCESS_KEY_ID> \
    --set config.aws.secretAccessKey=<AWS_SECRET_ACCESS_KEY> \
    --set config.aws.region=<AWS_REGION> \
    --set config.registryURL=<AWS_ECR_URL> \
    sysdig/registry-scanner

JFrog Artifactory - OnPrem

$ helm upgrade --install registry-scanner \
    --set config.scan.newVmScanner=true \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.registryType=artifactory \
    --set config.registryURL=<JFROG_ARTIFACTORY_REGISTRY_URL> \
    --set config.registryUser=<JFROG_ARTIFACTORY_USER> \
    --set config.registryPassword=<JFROG_ARTIFACTORY_PASSWORD> \
    sysdig/registry-scanner

JFrog Artifactory - SaaS

$ helm upgrade --install registry-scanner \
    --set config.scan.newVmScanner=true \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.registryType=artifactory \
    --set config.registryURL=<JFROG_ARTIFACTORY_REGISTRY_URL> \
    --set config.registryApiUrl=<JFROG_ARTIFACTORY_REGISTRY_API_DOCKER_URL> \
    --set config.registryUser=<JFROG_ARTIFACTORY_USER> \
    --set config.registryPassword=<JFROG_ARTIFACTORY_PASSWORD> \
    sysdig/registry-scanner