Integrate with image registries

Configure connections with image registries.

3 minute read

The StackRox Kubernetes Security Platform integrates with a variety of image registries so that you can understand your images and apply security policies for image usage.

When you integrate with image registries, you can view important image details, such as image creation date and Dockerfile details (including image layers).

Once you’ve integrated with your registry, you can scan images, view image components, and apply security policies both before you deploy images or for the already deployed images in your clusters.

When you integrate with an image registry, the StackRox Kubernetes Security Platform doesn’t scan all images in your registry. The StackRox Kubernetes Security Platform only scans the images when you:

You can integrate the StackRox Kubernetes Security Platform with several major image registries, including:

and any other registry that uses standard APIs.

Automatic Configuration

The StackRox Kubernetes Security Platform includes default integrations with standard registries, such as Docker Hub and others.

The StackRox Kubernetes Security Platform also automatically configures integrations based on image pull secrets in the monitored clusters. Usually, you won’t need to manually configure registry integrations.

If you use registries like GCR and ECR, and have your clusters set up to pull images using node IAM (Identity and Access Management) instead of image pull secrets, the StackRox Kubernetes Security Platform won’t create a registry integration automatically. For such cases you must manually configure your image registries.

Manual Configuration

If you are using GCR or ECR with node IAM, you must manually create Image Registry integrations.

Required permissions and access roles

Depending upon the registry you are integrating, you must have appropriate access and permissions for the user, group, or service account you want to use.

GCR

  1. You need a Service Account Key.

  2. The associated service account must have access to the registry. See Configuring access control for information about granting users and other projects access to GCR.

  3. If you are using GCR Container Analysis, you must also grant the following roles to the service account:

    • Container Analysis Notes Viewer
    • Container Analysis Occurrences Viewer
    • Storage Object Viewer

Google Artifact Registry

  1. You need a Service Account Key with the Artifact Registry Reader IAM role (roles/artifactregistry.reader).

Integration with Google Artifact Registry is only available if you are using the StackRox Kubernetes Security Platform version 3.0.51 or newer.

ECR

  1. You need an Access Key ID and a Secret Access Key.
  2. Alternatively, you can use a node-level IAM proxy such as kiam or kube2iam.
  3. The access key must have read access to ECR. See How do I create an AWS access key? for more information.

If you are running the StackRox Kubernetes Security Platform in Amazon Elastic Kubernetes Service (EKS) and want to integrate with an ECR from a separate Amazon account, you must first set a repository policy statement in your ECR.

Follow the instructions at Setting a Repository Policy Statement and for Actions, choose the following scopes of the Amazon ECR API operations:

Copy
ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeImages
ecr:GetDownloadUrlForLayer
ecr:ListImages

Configure an integration

To create a new image registry integration:

  1. On the StackRox portal, navigate to Platform Configuration > Integrations.

  2. Under Images section, select your registry provider. For example, Google Cloud, AWS ECR, or Generic Docker Registry.

  3. The Configure image integration modal box opens. Fill in the required details for:

    1. Integration Name: The name you want to give to this integration.

    2. Integration Type: Select Registry.

    3. Endpoint: Your Docker registry address.

    4. Registry ID and Region (for ECR only).

    5. Depending upon the registry provider you have selected, enter your access credentials. For example,

      • Username and Password for Docker registries, ACR, JFrog, and Sonatype Nexus.
      • Access Key ID and Secret Access Key for ECR. Or, if you are using a node-level IAM proxy like kiam or kube2iam, turn on the Use container IAM role toggle.
      • Service Account Key (JSON) for GCR and Google Artifact Registry.
      • App ID and Service Principal Password for ACR.
      • OAuth Token for Quay.
      • Access Key and Secret Key for tenable.io.
  4. Select Test (checkmark icon) to test that the integration with the selected registry is working.

  5. Select Create (save icon) to create the configuration.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.