Follow the steps below to add an OpenShift registry in order to scan it.
- Dedicated Linux instance with Docker installed
- Deployed Qualys Container Security Sensor in registry mode. Refer to the Sensor Deployment Guide for instructions.
You'll first need to create a service account and extract the service account token. Then log into the Container Security UI to add the registry.
1) Setup the OpenShift registry for public access. By default, the registry is not accessible outside of the cluster. You can configure it to be accessible publicly. Refer to the OpenShift documentation on Exposing the Registry.
2) Create a new service account for use with Qualys. Refer to the OpenShift documentation on Using Service Accounts in Applications.
3) Create and apply cluster role binding to assign permissions needed to access the registry and list the images. Associate the role "registry-viewer" to the service account. Refer to the OpenShift documentation on Creating a Cluster Role using RBAC.
Here's a sample yaml where the service account is named "qualystestuser":
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualystestuserbinding
selfLink: >-
/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/balatestbindingclusterwide
uid: 71967d33-d7d4-470d-a7f1-dc43794d5af6
resourceVersion: '1263987'
creationTimestamp: '2021-05-20T19:51:09Z'
subjects:
- kind: ServiceAccount
name: qualystestuser
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: registry-viewer
Perform the following commands to extract the service account token. You'll need this token to add the registry.
oc describe sa qualystestuser
oc describe secrets ##token##
Perform the following command to assign permissions to access the registry and list the images:
oc adm policy add-cluster-role-to-user registry-viewer system:serviceaccount:<project>:qualystestuser
Perform the following commands to verify that the user has permission to list repositories:
oc login -u user
curl -v -u unused:$(oc whoami -t) https://<registry_server>:<port>/v2/_catalog?n=100
1) In the Container Security UI, go to Assets > Registries and click New Registry.
2) Select Docker V2-Private from the Registry Type menu.
3) Provide the OpenShift URL in the URL field.
4) Provide the service account credentials under Authentication.
5) Click Next to define a registry scan schedule or on demand scan. For help with scan settings, see Configure Scan Settings.
Tip - You can also use the Container Security API to add a registry. See the Container Security API User Guide for details.