The StackRox Kubernetes Security Platform integrates with a variety of image registries so that you can understand your images and apply security policies for image usage.
When you integrate with image registries, you can view important image details, such as image creation date and Dockerfile details (including image layers).
Once you’ve integrated with your registry, you can scan images, view image components, and apply security policies both before you deploy images or for the already deployed images in your clusters.
When you integrate with an image registry, the StackRox Kubernetes Security Platform doesn’t scan all images in your registry. The StackRox Kubernetes Security Platform only scans the images when you:
- use the images in deployments,
- use the
roxctlCLI to check images, or
- use a continuous integration system to
enforce security policies. You can enforce
security policies to prevent running vulnerable deployments in your cluster.
For more details, see build-time policies
in the Evaluate the StackRox Kubernetes Security Platform topic.
You can integrate the StackRox Kubernetes Security Platform with several major image registries, including:
- Amazon Elastic Container Registry (ECR)
- Docker Hub
- Docker Trusted Registry
- Google Container Registry (GCR)
- Google Artifact Registry
- IBM Cloud Container Registry (ICR)
- JFrog Artifactory
- Microsoft Azure Container Registry (ACR)
- Red Hat Quay
- Red Hat container registries.
- Sonatype Nexus
and any other registry that uses standard APIs.
The StackRox Kubernetes Security Platform includes default integrations with standard registries, such as Docker Hub and others.
The StackRox Kubernetes Security Platform also automatically configures integrations based on image pull secrets in the monitored clusters. Usually, you won’t need to manually configure registry integrations.
If you use registries like GCR and ECR, and have your clusters set up to pull images using node IAM (Identity and Access Management) instead of image pull secrets, the StackRox Kubernetes Security Platform won’t create a registry integration automatically. For such cases you must manually configure your image registries.
If you are using GCR or ECR with node IAM, you must manually create Image Registry integrations.
Depending upon the registry you are integrating, you must have appropriate access and permissions for the user, group, or service account you want to use.
You need a Service Account Key.
The associated service account must have access to the registry. See Configuring access control for information about granting users and other projects access to GCR.
If you are using GCR Container Analysis, you must also grant the following roles to the service account:
- Container Analysis Notes Viewer
- Container Analysis Occurrences Viewer
- Storage Object Viewer
- You need a Service Account Key with the Artifact Registry Reader IAM role
Integration with Google Artifact Registry is only available if you are using the StackRox Kubernetes Security Platform version 3.0.51 or newer.
- You need an Access Key ID and a Secret Access Key.
- Alternatively, you can use a node-level IAM proxy such as
- The access key must have read access to ECR. See How do I create an AWS access key? for more information.
If you are running the StackRox Kubernetes Security Platform in Amazon Elastic Kubernetes Service (EKS) and want to integrate with an ECR from a separate Amazon account, you must first set a repository policy statement in your ECR.
Follow the instructions at Setting a Repository Policy Statement and for Actions, choose the following scopes of the Amazon ECR API operations:
ecr:BatchCheckLayerAvailability ecr:BatchGetImage ecr:DescribeImages ecr:GetDownloadUrlForLayer ecr:ListImages
To create a new image registry integration:
On the StackRox portal, navigate to Platform Configuration > Integrations.
Under Images section, select your registry provider. For example, Google Cloud, AWS ECR, or Generic Docker Registry.
The Configure image integration modal box opens. Fill in the required details for:
Integration Name: The name you want to give to this integration.
Integration Type: Select Registry.
Endpoint: Your Docker registry address.
Registry ID and Region (for ECR only).
Depending upon the registry provider you have selected, enter your access credentials. For example,
- Username and Password for Docker registries, ACR, JFrog, and Sonatype Nexus.
- Access Key ID and Secret Access Key for ECR.
Or, if you are using a node-level IAM proxy like
kube2iam, turn on the Use container IAM role toggle.
- Service Account Key (JSON) for GCR and Google Artifact Registry.
- App ID and Service Principal Password for ACR.
- OAuth Token for Quay.
- Access Key and Secret Key for tenable.io.
Select Test (checkmark icon) to test that the integration with the selected registry is working.
Select Create (save icon) to create the configuration.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.