Registry Scanner
Sysdig Registry Scanner scan your images registry on a Kubernetes Cluster.
This chart deploys the Sysdig Registry Scanner as a scheduled Cronjob in your Kubernetes cluster.
Introduction
This chart deploys the Sysdig Registry Scanner on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Helm 3
- Kubernetes v1.16+
- Cluster Name (pick one to identify your Kubernetes Cluster)
- Sysdig Secure API Token
Installing the Chart
Add Sysdig Helm charts repository:
$ helm repo add sysdig https://charts.sysdig.com
Deploy the registry scanner specify each parameter using the --set key=value[,key=value] argument to helm install. For example,
$ helm upgrade --install registry-scanner \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryURL=<REGISTRY_URL> \
--set config.registryUser=admin \
--set config.registryPassword=<REGISTRY_PASSWORD> \
sysdig/registry-scanner
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
$ helm install registry-scanner -f values.yaml sysdig/registry-scanner
By default the created CronJob, scheduled at the default time: 6:00 am. For testing purpose you can launch a manual job:
$ kubectl create job --from=cronjob/registry-scanner registry-scanner-manual
Uninstalling the Chart
To uninstall/delete
$ helm uninstall registry-scanner
The command removes all the Kubernetes components associated with the chart and deletes the release.
Configuration
The following table lists the configurable parameters of the Sysdig Registry Scanner chart and their default values:
| Parameter | Description | Default |
|---|---|---|
| cronjob.schedule | Cronjob expression for registry scan scheduling (you can check https://crontab.guru/ for help) | "0 6 * * 6" |
| cronjob.failedJobsHistoryLimit | Number of failed job history to keep on the cluster. | 5 |
| cronjob.successfulJobsHistoryLimit | Number of successful job history to keep on the cluster. | 2 |
| cronjob.restartPolicy | Restart policy for a failed registry-scan execution. | Never |
| reportToPersistentVolumeClaim | Specify a volume claim to write the final JSON report there instead of standard output. | "" |
| config.registryURL | required URL of the registry to scan. |
https://my-docker-registry.com |
| config.registryApiUrl | API URL of the registry to scan. This is required if your registry type is Artifactory. | https://my-docker-registry.com/artifactory/api/docker/ |
| config.registryUser | Username for registry authentication. | "" |
| config.registryPassword | Password for registry authentication. | "" |
| config.registryType | Registry Type. Optional. dockerv2 (default if not specified), icr, artifactory, ecr. | "" |
| config.registryAccountId | AccountID - Only for ICR registry type. | "" |
| config.icrIamApi | ICR IAM API - Only for ICR registry type. | "" |
| config.icrIamApiSkipTLS | Ignore TLS certificate for IAM API - Only for ICR registry type. | false |
| config.aws.accessKeyId | AWS Credentials AccessKeyID. | "" |
| config.aws.secretAccessKey | AWS Credentials: SecretAccessKey. | "" |
| config.aws.region | AWS Region. | "" |
| config.registrySkipTLS | Ignore registry TLS certificate errors (self-signed, etc.). | false |
| config.secureBaseURL | required Sysdig Secure Base URL |
https://secure.sysdig.com |
| config.secureAPIToken | required API Token to access Sysdig Secure. |
"" |
| config.secureOnPrem | Sysdig Secure is on-prem installation (vs SaaS). | false |
| config.secureSkipTLS | Ignore Sysdig Secure TLS certificate errors. | false |
| config.maxWorkers | Max number of parallel inline scanner workers to spawn in cluster. | 1 |
| config.filter.include | List of regular expressions. Images matching any of these expressions are always included when scanning. | [] |
| config.filter.exclude | List of regular expressions. Images matching any of these expressions are excluded when scanning. | [] |
| config.filter.maxAgeDays | Exclude images with creation date older than specified number of days. | |
| config.filter.maxTagsPerRepository | Only scan a maximum number of tags per repository, excluding older images by creation date. | |
| config.scan.inlineScanImage | Override the default (if not specified) quay.io/sysdig/secure-inline-scan:2 image for the inline scanner job. |
"" |
| config.scan.securityContext | Security context for Inline Scanner container. | {} |
| config.scan.newVmScanner | true/false whether to activate the beta image scanning (experimental and unsupported) | false |
| ssl.ca.certs | For outbound connections List of PEM-encoded x509 certificate authority. |
{} |
| customLabels | Additional labels to add to CronJob and Scanning Jobs. Custom labels to be added to kubernetes manifests of all resources created. | {} |
| proxy.httpProxy | URL of the proxy for HTTP connections, or empty if not using proxy (sets the http_proxy environment variable). | |
| proxy.httpsProxy | URL of the proxy for HTTPS connections, or empty if not using proxy (sets the https_proxy environment variable). | |
| proxy.noProxy | Comma-separated list of domain extensions proxy should not be used for. Include in noProxy the internal IP of the kubeapi server, and you probably need to add your registry if it is inside the cluster | |
| image.registry | Sysdig Registry Scanner image registry. | quay.io |
| image.repository | Sysdig Registry Scanner image repository | sysdig/registry-scanner |
| image.tag | Registry Scanner image tag. If empty, default to appVersion in Chart.yaml. | |
| image.pullPolicy | PullPolicy for Registry Scanner image. | Always |
| serviceAccount.create | Specifies whether a service account should be created | true |
| serviceAccount.annotations | Extra annotations to add to the service account | {} |
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
| imagePullSecrets | The image pull secrets. | [] |
| nameOverride | Chart name override | "" |
| fullnameOverride | Chart fullname override | "" |
| existingSecretName | Specify the name of a Kubernetes secret containing ‘secureAPIToken’, ‘registryUser’, and ‘registryPassword’ entries or if you are using ecr as registryType, add also ‘accessKeyId’, ‘secretAccessKey’ and ‘region’ entries. | "" |
| podAnnotations | Registry scanner pod annotations | {} |
| podSecurityContext | Security context for Registry Scanner pod | {} |
| securityContext | Security context for Registry Scanner container | {} |
| resources | Resource limits for registry scanner container. | {} |
| nodeSelector | Configure nodeSelector for scheduling the registry scanner pod. | {} |
| tolerations | Configure tolerations for scheduling the registry scanner pod. | [] |
| affinity | Configure affinity for scheduling the registry scanner pod. | {} |
On-Prem deployment
Use the following command to deploy in an on-prem:
$ helm upgrade --install registry-scanner \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.secureSkipTLS=true \
--set config.registryURL=<REGISTRY_URL> \
--set config.registryUser=admin \
--set config.registryPassword=<REGISTRY_PASSWORD> \
sysdig/registry-scanner
Use config.secureSkipTLS=true if you are using self signed certificates.
Supported vendor specific deployments
AWS ECR
$ helm upgrade --install registry-scanner \
--set config.scan.newVmScanner=true \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=ecr \
--set config.aws.accessKeyId=<AWS_ACCESS_KEY_ID> \
--set config.aws.secretAccessKey=<AWS_SECRET_ACCESS_KEY> \
--set config.aws.region=<AWS_REGION> \
--set config.registryURL=<AWS_ECR_URL> \
sysdig/registry-scanner
JFrog Artifactory - OnPrem
- JFROG_ARTIFACTORY_URL: JFrog Artifactory url. ex.: artifactory.internal.mycompany.com
$ helm upgrade --install registry-scanner \
--set config.scan.newVmScanner=true \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=artifactory \
--set config.registryURL=<JFROG_ARTIFACTORY_REGISTRY_URL> \
--set config.registryUser=<JFROG_ARTIFACTORY_USER> \
--set config.registryPassword=<JFROG_ARTIFACTORY_PASSWORD> \
sysdig/registry-scanner
JFrog Artifactory - SaaS
- JFROG_ARTIFACTORY_REGISTRY_URL: JFrog Artifactory Cloud registry URL. ex.: https://myaccount.jfrog.io/some-registry
- JFROG_ARTIFACTORY_REGISTRY_API_DOCKER_URL: JFrog Artifactory Cloud registry docker API endpoint. ex.: https://myaccount.jfrog.io/artifactory/api/docker/some-registry
$ helm upgrade --install registry-scanner \
--set config.scan.newVmScanner=true \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=artifactory \
--set config.registryURL=<JFROG_ARTIFACTORY_REGISTRY_URL> \
--set config.registryApiUrl=<JFROG_ARTIFACTORY_REGISTRY_API_DOCKER_URL> \
--set config.registryUser=<JFROG_ARTIFACTORY_USER> \
--set config.registryPassword=<JFROG_ARTIFACTORY_PASSWORD> \
sysdig/registry-scanner