Registry Scanner

Sysdig Registry Scanner scan your images registry on a Kubernetes Cluster .
This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster.

For more insight check Sysdig Official Docs on Registry-Scanner feature and installation process guidelines



Introduction

This chart deploys the Sysdig Registry Scanner on a Kubernetes cluster using the Helm package manager.

Prerequisites

Installing the Chart

Add Sysdig Helm charts repository:

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update

Deploy the registry scanner specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm upgrade --install registry-scanner \
    --version=1.0.13 \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.registryURL=<REGISTRY_URL> \
    --set config.registryUser=admin \
    --set config.registryPassword=<REGISTRY_PASSWORD> \
    sysdig/registry-scanner

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install registry-scanner -f values.yaml --version=1.0.13 sysdig/registry-scanner

By default the created CronJob, scheduled at the default time: 6:00 am. For testing purpose you can launch a manual job:

$ kubectl create job --from=cronjob/registry-scanner registry-scanner-manual

Uninstalling the Chart

To uninstall/delete

$ helm uninstall registry-scanner

The command removes all the Kubernetes components associated with the chart and deletes the release.

Configuration

The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:

Parameter Description Default
cronjob.schedule Cronjob expression for registry scan scheduling (you can check https://crontab.guru/ for help) "0 6 * * 6"
cronjob.failedJobsHistoryLimit Number of failed job history to keep on the cluster. 5
cronjob.successfulJobsHistoryLimit Number of successful job history to keep on the cluster. 2
cronjob.restartPolicy Restart policy for a failed registry-scan execution. Never
reportToPersistentVolumeClaim Specify a volume claim to write the final JSON report there instead of standard output. ""
config.logging log level. use either trace,debug,info,error "info"
config.registryURL URL of the registry to scan. ""
config.registryApiUrl API URL of the registry to scan. This is required if your registry type is Artifactory. ""
config.registryUser Username for registry authentication. ""
config.registryPassword Password for registry authentication. ""
config.registryType Mandatory.
Registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, and dockerv2.
""
config.registryAccountId AccountID - Only for ICR registry type. ""
config.icrIamApi ICR IAM API - Only for ICR registry type. ""
config.icrIamApiSkipTLS Ignore TLS certificate for IAM API - Only for ICR registry type. false
config.aws.accessKeyId AWS Credentials AccessKeyID. ""
config.aws.secretAccessKey AWS Credentials: SecretAccessKey. ""
config.aws.region For single account: region where the registry is located "us-east-1"
config.aws.managementAccountRoleARN Management role arn to be used to impersonate over the member accounts
config.aws.memberAccountsRoleName Member account role name (available in all member accounts) to dig into their registries "OrganizationAccountAccessRole"
config.aws.allowListMemberAccountIDs Organization account ids in which to perform the registry scan. If not configured, the scan will be performed in all the member accounts of the organization. []
config.aws.allowListRegions For organizational: regions where the registries are located. If not configured, the scan will be performed in all available regions. []
config.registrySkipTLS Ignore registry TLS certificate errors (self-signed, etc.). false
config.secureBaseURL required
Sysdig Secure Base URL
https://secure.sysdig.com
config.secureAPIToken required
API Token to access Sysdig Secure.
""
config.secureOnPrem Sysdig Secure is on-prem installation (vs SaaS). false
config.secureSkipTLS Ignore Sysdig Secure TLS certificate errors. false
config.maxWorkers Max number of parallel job scan workers to spawn 5
config.filter.include List of regular expressions.
Images matching any of these expressions are always included when scanning.
[]
config.filter.exclude List of regular expressions.
Images matching any of these expressions are excluded when scanning.
[]
config.filter.maxAgeDays Based on its creation date, excludes images older than specified number of days.
Maximum 365
90
config.filter.maxTagsPerRepository Based on its creation date, newer ones take precedence, maximum number of tags to scan per repository.
Maximum 50
5
config.filter.maxRepositoriesPerRegistry Number of repositories to scan per registry.
Maximum Value 10000
500
config.scan.inlineScanImage Override the default image for the inline scanner job. ""
config.scan.securityContext Security context for Inline Scanner container. {}
config.scan.orchestrator.ttlSecondsAfterFinished ttl for orchestrator job. unset with empty value 3600
config.scan.jobs.ttlSecondsAfterFinished ttl for scanner worker jobs 600
config.scan.jobs.resources.requests.memory Resource request memory for scanner job 500Mi
config.scan.jobs.resources.requests.cpu Resource request CPU for scanner job 500m
config.scan.jobs.resources.limits.memory Resource limit memory for scanner job 2Gi
config.scan.jobs.temporaryVolumeSizeLimit Size limit for the emptyDir volume used by the scanner job.
This volume is used to store both the vulnerability database and the image to scan.
2Gi
ssl.ca.certs For outbound connections
List of PEM-encoded x509 certificate authority.
[]
customLabels Additional labels to add to CronJob and Scanning Jobs. Custom labels to be added to kubernetes manifests of all resources created. {}
proxy.httpProxy URL of the proxy for HTTP connections, or empty if not using proxy (sets the http_proxy environment variable).
proxy.httpsProxy URL of the proxy for HTTPS connections, or empty if not using proxy (sets the https_proxy environment variable).
proxy.noProxy Comma-separated list of domain extensions proxy should not be used for. Include in noProxy the internal IP of the kubeapi server, and you probably need to add your registry if it is inside the cluster
image.registry Sysdig Registry Scanner image registry. quay.io
image.repository Sysdig Registry Scanner image repository sysdig/registry-scanner
image.tag Registry Scanner image tag. If empty, default to appVersion in Chart.yaml.
image.pullPolicy PullPolicy for Registry Scanner image. Always
serviceAccount.create Specifies whether a service account should be created true
serviceAccount.annotations Extra annotations to add to the service account {}
serviceAccount.name The name of the service account to use. If not set and create is true, a name is generated using the fullname template ""
imagePullSecrets The image pull secrets. []
nameOverride Chart name override ""
fullnameOverride Chart fullname override ""
existingSecretName Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries or if you are using ecr as registryType, add also ‘accessKeyId’, ‘secretAccessKey’ and ‘region’ entries. ""
podAnnotations Registry scanner pod annotations {}
podSecurityContext Security context for Registry Scanner pod {}
securityContext Security context for Registry Scanner container {}
resources Resource limits for main registry scanner orchestrator.
For scanner job resources use config.scan.jobs.resources
{}
nodeSelector Configure nodeSelector for scheduling the registry scanner pod. {}
tolerations Configure tolerations for scheduling the registry scanner pod. []
affinity Configure affinity for scheduling the registry scanner pod. {}
scanOnStart.enabled true/false on whether to start the post-install scanner job, in addition to the cronjob.
beware that concurrencyPolicy does not work on jobs (only cronjobs).
always check if there is any scanning running and if so, remove it.
false
scanOnStart.jobName Name of the job created for the post-install scanner job "registry-scanner-start-test"
scanOnStart.asPostInstallHook true/false on whether to launch the job as a post-install helm hook.
mainly for testing purpose
false
extraEnvVars Extra environment variables to be set []

Other Options

I still want to use legacy scanning engine

Chart version 1.* relies on new Vulnerability Management scanning engine.
If you still use the legacy scanning engine and want to keep running that version, pin the Helm chart version with --version=0.1.39

On-Prem deployment

Use the following command to deploy in an on-prem:

$ helm upgrade --install registry-scanner \
    --version=1.0.13 \
    --set config.secureBaseURL=<SYSDIG_SECURE_URL> \
    --set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
    --set config.secureSkipTLS=true \
    --set config.registryURL=<REGISTRY_URL> \
    --set config.registryUser=admin \
    --set config.registryPassword=<REGISTRY_PASSWORD> \
    sysdig/registry-scanner

Use config.secureSkipTLS=true if you are using self signed certificates.