Red Hat Advanced Cluster Security for Kubernetes integrates with a variety of image registries so that you can understand your images and apply security policies for image usage.

When you integrate with image registries, you can view important image details, such as image creation date and Dockerfile details (including image layers).

After you integrate Red Hat Advanced Cluster Security for Kubernetes with your registry, you can scan images, view image components, or apply security policies before you deploy images or to existing images that are already deployed in your clusters.

When you integrate with an image registry, Red Hat Advanced Cluster Security for Kubernetes does not scan all images in your registry. Red Hat Advanced Cluster Security for Kubernetes only scans the images when you:

  • Use the images in deployments

  • Use the roxctl CLI to check images

  • Use a continuous integration (CI) system to enforce security policies

You can integrate Red Hat Advanced Cluster Security for Kubernetes with several major image registries, including:

Automatic Configuration

Red Hat Advanced Cluster Security for Kubernetes includes default integrations with standard registries, such as Docker Hub and others. Red Hat Advanced Cluster Security for Kubernetes also automatically configures integrations based on image pull secrets in the monitored clusters. Usually, you do not need to manually configure registry integrations.

If you use registries like GCR and ECR, and have your clusters set up to pull images using node IAM (Identity and Access Management) instead of image pull secrets, Red Hat Advanced Cluster Security for Kubernetes does not create a registry integration automatically. For such cases you must manually configure your image registries.

Manually configuring image registries

If you are using GCR or ECR with node IAM, you must manually create image registry integrations.

Manually configuring OpenShift Container Platform registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with OpenShift Container Platform built-in container image registry.

Prerequisites
  • You need a username and a password for authentication with the OpenShift Container Platform registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Generic Docker Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Amazon Elastic Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Amazon Elastic Container Registry (ECR).

Prerequisites
  • You must have an access key ID and a secret access key. Alternatively, you can use a node-level IAM proxy such as kiam or kube2iam.

  • The access key must have read access to ECR. See How do I create an AWS access key? for more information.

  • If you are running Red Hat Advanced Cluster Security for Kubernetes in Amazon Elastic Kubernetes Service (EKS) and want to integrate with an ECR from a separate Amazon account, you must first set a repository policy statement in your ECR. Follow the instructions at Setting a repository policy statement and for Actions, choose the following scopes of the Amazon ECR API operations:

    • ecr:BatchCheckLayerAvailability

    • ecr:BatchGetImage

    • ecr:DescribeImages

    • ecr:GetDownloadUrlForLayer

    • ecr:ListImages

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Amazon Elastic Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry ID: The ID of the registry.

    4. Endpoint (Optional): The address of the registry.

    5. Region: The region for the registry.

    6. Use Container IAM Role: Turn on the toggle if you are using IAM.

    7. Access Key ID (required if not using IAM) and Secret Access Key (required if not using IAM): Your access key and secret if you are not using IAM.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Google Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR).

Prerequisites
  • You must have a service account key.

  • The associated service account must have access to the registry. See Configuring access control for information about granting users and other projects access to GCR.

  • If you are using GCR Container Analysis, you must also grant the following roles to the service account:

    • Container Analysis Notes Viewer

    • Container Analysis Occurrences Viewer

    • Storage Object Viewer

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Google Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry Endpoint: The address of the registry.

    4. Project: The Google Cloud project name.

    5. Service Account Key (JSON) Your service account key for authentication.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Google Artifact Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Artifact Registry.

Prerequisites
  • You need a service account key with the Artifact Registry Reader IAM role roles/artifactregistry.reader.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Google Artifact Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Registry Endpoint: The address of the registry.

    4. Project: The Google Cloud project name.

    5. Service Account Key (JSON) Your service account key for authentication.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Microsoft Azure Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Microsoft Azure Container Registry.

Prerequisites
  • You must have a username and a password or an Azure App ID and a service principal password for authentication.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Azure Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username or App ID and Password or Service Principal Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring JFrog Artifactory

You can integrate Red Hat Advanced Cluster Security for Kubernetes with JFrog Artifactory.

Prerequisites
  • You must have a username and a password for authentication with JFrog Artifactory.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select JFrog Artifactory.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Docker Trusted Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Docker Trusted Registry.

Prerequisites
  • You must have a username and a password for authentication with the Docker Trusted Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Docker Trusted Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Quay Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry.

Prerequisites
  • You must have an OAuth token for authentication with the Quay Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Quay Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. OAuth Token

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring IBM Cloud Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with IBM Cloud Container Registry.

Prerequisites
  • You must have an API key for authentication with the IBM Cloud Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select IBM Cloud Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. API Key.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.

Manually configuring Red Hat Container Registry

You can integrate Red Hat Advanced Cluster Security for Kubernetes with Red Hat Container Registry.

Prerequisites
  • You must have a username and a password for authentication with the Red Hat Container Registry.

Procedure
  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Under the Image Integrations section, select Red Hat Container Registry.

    The Configure image integration modal box opens.

  3. Click New Integration.

  4. Enter the details for the following fields:

    1. Integration Name: The name of the integration.

    2. Types: Select Registry.

    3. Endpoint: The address of the registry.

    4. Username and Password.

  5. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  6. Select Create (save icon) to create the configuration.