Registry Scanner
Sysdig Registry Scanner scan your images registry on a Kubernetes Cluster.
This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster.
Introduction
This chart deploys the Sysdig Registry Scanner on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Helm 3
- Kubernetes v1.16+
- Cluster Name (pick one to identify your Kubernetes Cluster)
- Sysdig Secure API Token
Installing the Chart
Add Sysdig Helm charts repository:
$ helm repo add sysdig https://charts.sysdig.com
Deploy the registry scanner specify each parameter using the --set key=value[,key=value]
argument to helm install
. For example,
$ helm upgrade --install registry-scanner \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryURL=<REGISTRY_URL> \
--set config.registryUser=admin \
--set config.registryPassword=<REGISTRY_PASSWORD> \
sysdig/registry-scanner
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install registry-scanner -f values.yaml sysdig/registry-scanner
By default the created CronJob, scheduled at the default time: 6:00 am. For testing purpose you can launch a manual job:
$ kubectl create job --from=cronjob/registry-scanner registry-scanner-manual
Uninstalling the Chart
To uninstall/delete
$ helm uninstall registry-scanner
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:
Parameter | Description | Default |
---|---|---|
cronjob.schedule | Cronjob expression for registry scan scheduling (you can check https://crontab.guru/ for help) | "0 6 * * 6" |
cronjob.failedJobsHistoryLimit | Number of failed job history to keep on the cluster. | 5 |
cronjob.successfulJobsHistoryLimit | Number of successful job history to keep on the cluster. | 2 |
cronjob.restartPolicy | Restart policy for a failed registry-scan execution. | Never |
reportToPersistentVolumeClaim | Specify a volume claim to write the final JSON report there instead of standard output. | "" |
config.logging | log level. use either trace,debug,info,error | "info" |
config.registryURL | URL of the registry to scan. | "" |
config.registryApiUrl | API URL of the registry to scan. This is required if your registry type is Artifactory. | "" |
config.registryUser | Username for registry authentication. | "" |
config.registryPassword | Password for registry authentication. | "" |
config.registryType | Mandatory. Registry Type. Supported types: artifactory, ecr, icr, acr, quay, harbor, and dockerv2. |
"" |
config.registryAccountId | AccountID - Only for ICR registry type. | "" |
config.icrIamApi | ICR IAM API - Only for ICR registry type. | "" |
config.icrIamApiSkipTLS | Ignore TLS certificate for IAM API - Only for ICR registry type. | false |
config.aws.accessKeyId | AWS Credentials AccessKeyID. | "" |
config.aws.secretAccessKey | AWS Credentials: SecretAccessKey. | "" |
config.aws.region | AWS Region. | "us-east-1" |
config.aws.managementAccountRoleARN | Management role arn to be used to impersonate over the member accounts |
|
config.aws.memberAccountsRoleName | Member account role name (available in all member accounts) to dig into their registries | "OrganizationAccountAccessRole" |
config.aws.allowListMemberAccountIDs | Organization account ids in which to perform the registry scan | [] |
config.registrySkipTLS | Ignore registry TLS certificate errors (self-signed, etc.). | false |
config.secureBaseURL | required Sysdig Secure Base URL |
https://secure.sysdig.com |
config.secureAPIToken | required API Token to access Sysdig Secure. |
"" |
config.secureOnPrem | Sysdig Secure is on-prem installation (vs SaaS). | false |
config.secureSkipTLS | Ignore Sysdig Secure TLS certificate errors. | false |
config.maxWorkers | Max number of parallel job scan workers to spawn | 5 |
config.filter.include | List of regular expressions. Images matching any of these expressions are always included when scanning. |
[] |
config.filter.exclude | List of regular expressions. Images matching any of these expressions are excluded when scanning. |
[] |
config.filter.maxAgeDays | Based on its creation date, excludes images older than specified number of days. Maximum 365 |
90 |
config.filter.maxTagsPerRepository | Based on its creation date, newer ones take precedence, maximum number of tags to scan per repository. Maximum 10 |
5 |
config.filter.maxRepositoriesPerRegistry | Number of repositories to scan per registry. Maximum Value 1000 |
500 |
config.scan.inlineScanImage | Override the default (if not specified) quay.io/sysdig/secure-inline-scan:2 image for the inline scanner job. |
"" |
config.scan.securityContext | Security context for Inline Scanner container. | {} |
config.scan.newVmScanner | true/false whether to activate the beta image scanning (experimental and unsupported) | false |
ssl.ca.certs | For outbound connections List of PEM-encoded x509 certificate authority. |
[] |
customLabels | Additional labels to add to CronJob and Scanning Jobs. Custom labels to be added to kubernetes manifests of all resources created. | {} |
proxy.httpProxy | URL of the proxy for HTTP connections, or empty if not using proxy (sets the http_proxy environment variable). |
|
proxy.httpsProxy | URL of the proxy for HTTPS connections, or empty if not using proxy (sets the https_proxy environment variable). |
|
proxy.noProxy | Comma-separated list of domain extensions proxy should not be used for. Include in noProxy the internal IP of the kubeapi server, and you probably need to add your registry if it is inside the cluster |
|
image.registry | Sysdig Registry Scanner image registry. | quay.io |
image.repository | Sysdig Registry Scanner image repository | sysdig/registry-scanner |
image.tag | Registry Scanner image tag. If empty, default to appVersion in Chart.yaml. |
|
image.pullPolicy | PullPolicy for Registry Scanner image. | Always |
serviceAccount.create | Specifies whether a service account should be created | true |
serviceAccount.annotations | Extra annotations to add to the service account | {} |
serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
imagePullSecrets | The image pull secrets. | [] |
nameOverride | Chart name override | "" |
fullnameOverride | Chart fullname override | "" |
existingSecretName | Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries or if you are using ecr as registryType, add also ‘accessKeyId’, ‘secretAccessKey’ and ‘region’ entries. | "" |
podAnnotations | Registry scanner pod annotations | {} |
podSecurityContext | Security context for Registry Scanner pod | {} |
securityContext | Security context for Registry Scanner container | {} |
resources | Resource limits for registry scanner container. | {} |
nodeSelector | Configure nodeSelector for scheduling the registry scanner pod. | {} |
tolerations | Configure tolerations for scheduling the registry scanner pod. | [] |
affinity | Configure affinity for scheduling the registry scanner pod. | {} |
scanOnStart.enabled | true/false on whether to start the post-install scanner job, in addition to the cronjob. beware that concurrencyPolicy does not work on jobs (only cronjobs). always check if there is any scanning running and if so, remove it. |
false |
scanOnStart.jobName | Name of the job created for the post-install scanner job | "registry-scanner-start-test" |
scanOnStart.asPostInstallHook | true/false on whether to launch the job as a post-install helm hook. mainly for testing purpose |
false |
extraEnvVars | Extra environment variables to be set | [] |
On-Prem deployment
Use the following command to deploy in an on-prem:
$ helm upgrade --install registry-scanner \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.secureSkipTLS=true \
--set config.registryURL=<REGISTRY_URL> \
--set config.registryUser=admin \
--set config.registryPassword=<REGISTRY_PASSWORD> \
sysdig/registry-scanner
Use config.secureSkipTLS=true
if you are using self signed certificates.