×

Red Hat Advanced Cluster Security for Kubernetes integrates with a variety of image registries so that you can understand your images and apply security policies for image usage.

When you integrate with image registries, you can view important image details, such as image creation date and Dockerfile details (including image layers).

After you integrate Red Hat Advanced Cluster Security for Kubernetes with your registry, you can scan images, view image components, or apply security policies before you deploy images or to existing images that are already deployed in your clusters.

When you integrate with an image registry, Red Hat Advanced Cluster Security for Kubernetes does not scan all images in your registry. Red Hat Advanced Cluster Security for Kubernetes only scans the images when you:

  • Use the images in deployments

  • Use the roxctl CLI to check images

  • Use a continuous integration (CI) system to enforce security policies

You can integrate Red Hat Advanced Cluster Security for Kubernetes with several major image registries, including:

Automatic Configuration

Red Hat Advanced Cluster Security for Kubernetes includes default integrations with standard registries, such as Docker Hub and others. Red Hat Advanced Cluster Security for Kubernetes also automatically configures integrations based on image pull secrets in the monitored clusters. Usually, you do not need to manually configure registry integrations.

If you use registries like GCR and ECR, and have your clusters set up to pull images using node IAM (Identity and Access Management) instead of image pull secrets, Red Hat Advanced Cluster Security for Kubernetes does not create a registry integration automatically. For such cases you must manually configure your image registries.

Manually configuring image registries

If you are using GCR or ECR with node IAM, you must manually create image registry integrations.

Manually configuring OpenShift Container Platform registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with OpenShift Container Platform built-in container image registry.

Prerequisites
  • You need a username and a password for authentication with the OpenShift Container Platform registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Generic Docker Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Amazon Elastic Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Amazon Elastic Container Registry (ECR).

Prerequisites
  • You must have an access key ID and a secret access key. Alternatively, you can use a node-level IAM proxy such as kiam or kube2iam.

  • The access key must have read access to ECR. See How do I create an AWS access key? for more information.

  • If you are running Red Hat Advanced Cluster Security for Kubernetes in Amazon Elastic Kubernetes Service (EKS) and want to integrate with an ECR from a separate Amazon account, you must first set a repository policy statement in your ECR. Follow the instructions at Setting a repository policy statement and for Actions, choose the following scopes of the Amazon ECR API operations:

    • ecr:BatchCheckLayerAvailability

    • ecr:BatchGetImage

    • ecr:DescribeImages

    • ecr:GetDownloadUrlForLayer

    • ecr:ListImages

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Amazon Elastic Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry ID: The ID of the registry.

    4. Endpoint (Optional): The address of the registry.

    5. Region: The region for the registry.

    6. Use Container IAM Role: Turn on the toggle if you are using IAM.

    7. Access Key ID (required if not using IAM) and Secret Access Key (required if not using IAM): Your access key and secret if you are not using IAM.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Using assumerole with Amazon ECR

You can use AssumeRole to grant access to AWS resources without manually configuring each user’s permissions. Instead, you can define a role with the desired permissions, and the user is granted access to assume that role. AssumeRole enables you to grant, revoke, or otherwise generally manage more fine-grained permissions.

Configuring AssumeRole with container IAM

Before you can use AssumeRole with Red Hat Advanced Cluster Security for Kubernetes, you must first configure it.

Procedure
  1. Enable the IAM OIDC provider for your EKS cluster:

    $ eksctl utils associate-iam-oidc-provider --cluster <cluster name> --approve
  2. Create an IAM role for your EKS cluster.

  3. Associate the newly created role with a service account:

    $ kubectl -n stackrox annotate sa central eks.amazonaws.com/role-arn=arn:aws:iam::67890:role/<role-name>
  4. Restart Central to apply the changes.

    $ kubectl -n stackrox delete pod -l app=central
  5. Assign the role to a policy that allows the role to assume another role as required:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "arn:aws:iam::<ecr-registry>:role/<assumerole-readonly>" (1)
            }
        ]
    }
    1 Replace <assumerole-readonly> with the role you want to assume.
  6. Update the trust relationship for the role you want to assume:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::<ecr-registry>:role/<role-name>" (1)
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    1 The <role-name> should match with the new role you have created earlier.
Configuring AssumeRole without container IAM

To use AssumeRole without container IAM, you must use an access and a secret key to authenticate as an AWS user with programmatic access.

Procedure
  1. Depending on whether the AssumeRole user is in the same account as the ECR registry or in a different account, you must either:

    • Create a new role with the desired permissions if the user for which you want to assume role is in the same account as the ECR registry.

      When creating the role, you can choose any trusted entity as required. However, you must modify it after creation.

    • Or, you must provide permissions to access the ECR registry and define its trust relationship if the user is in a different account than the ECR registry:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "arn:aws:iam::<ecr-registry>:role/<assumerole-readonly>" (1)
              }
          ]
      }
      1 Replace <assumerole-readonly> with the role you want to assume.
  2. Configure the trust relationship of the role by including the user ARN under the Principal field:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::<ecr-registry>:user/<role-name>"
            ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
Configuring AssumeRole in RHACS

After configuring AssumeRole in ECR, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Amazon Elastic Container Registry (ECR) by using AssumeRole.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Amazon Elastic Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Registry ID: The ID of the registry.

    3. Region: The region for the registry.

  5. If you have configured AssumeRole with container IAM leave the Use container IAM role option checked. Otherwise, uncheck the Use custom IAM role and enter the details for the following fields:

    1. Access key ID: The access key ID for the role.

    2. Secret access key: The secret access key for the role.

  6. Select the Use AssumeRole checkbox.

  7. Enter the details for the following fields:

    1. AssumeRole ID: The ID of the role to assume.

    2. AssumeRole External ID (optional): If you are using an external ID with AssumeRole, you can enter it here.

  8. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  9. Select Create (save icon) to create the configuration.

Manually configuring Google Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR).

Prerequisites
  • You must have a service account key.

  • The associated service account must have access to the registry. See Configuring access control for information about granting users and other projects access to GCR.

  • If you are using GCR Container Analysis, you must also grant the following roles to the service account:

    • Container Analysis Notes Viewer

    • Container Analysis Occurrences Viewer

    • Storage Object Viewer

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Google Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry Endpoint: The address of the registry.

    4. Project: The Google Cloud project name.

    5. Service Account Key (JSON) Your service account key for authentication.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Google Artifact Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Artifact Registry.

Prerequisites
  • You need a service account key with the Artifact Registry Reader IAM role roles/artifactregistry.reader.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Google Artifact Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry Endpoint: The address of the registry.

    4. Project: The Google Cloud project name.

    5. Service Account Key (JSON) Your service account key for authentication.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Microsoft Azure Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Microsoft Azure Container Registry.

Prerequisites
  • You must have a username and a password or an Azure App ID and a service principal password for authentication.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Azure Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username or App ID and Password or Service Principal Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring JFrog Artifactory

You can integrate Red Hat Advanced Cluster Security for Kubernetes with JFrog Artifactory.

Prerequisites
  • You must have a username and a password for authentication with JFrog Artifactory.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select JFrog Artifactory.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Docker Trusted Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Docker Trusted Registry.

Prerequisites
  • You must have a username and a password for authentication with the Docker Trusted Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Docker Trusted Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Quay Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry.

Prerequisites
  • You must have an OAuth token for authentication with the Quay Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Quay Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. OAuth Token

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring IBM Cloud Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with IBM Cloud Container Registry.

Prerequisites
  • You must have an API key for authentication with the IBM Cloud Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select IBM Cloud Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. API Key.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Red Hat Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Red Hat Container Registry.

Prerequisites
  • You must have a username and a password for authentication with the Red Hat Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Red Hat Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.