OpenShift Registry
Click to view navigation pane


OpenShift Registry

Follow the steps below to add an OpenShift registry in order to scan it.

Prerequisites

Create a service account

You'll first need to create a service account and extract the service account token. Then log into the Container Security UI to add the registry.

  1. Setup the OpenShift registry for public access. By default, the registry is not accessible outside of the cluster. You can configure it to be accessible publicly. Refer to the OpenShift documentation on Exposing the Registry.   
  2. Create a new service account for use with Qualys. Refer to the OpenShift documentation on Using Service Accounts in Applications.  
  3. Create and apply cluster role binding to assign permissions needed to access the registry and list the images. Associate the role "registry-viewer" to the service account. Refer to the OpenShift documentation on Creating a Cluster Role using RBAC.  

    Here's a sample yaml where the service account is named "qualystestuser":  

    kind: ClusterRoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
    name: qualystestuserbinding
    selfLink: >-
     /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/balatestbindingclusterwide
    uid: 71967d33-d7d4-470d-a7f1-dc43794d5af6
    resourceVersion: '1263987'
    creationTimestamp: '2021-05-20T19:51:09Z'
    subjects:
    - kind: ServiceAccount
      name: qualystestuser
      namespace: default
    roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: registry-viewer  

Extract the service account

Perform the following commands to extract the service account token. You'll need this token to add the registry.  

oc describe sa qualystestuser

oc describe secrets ##token##  

List images in OpenShift registry

Perform the following command to assign permissions to access the registry and list the images:

oc adm policy add-cluster-role-to-user registry-viewer system:serviceaccount:<project>:qualystestuser

Perform the following commands to verify that the user has permission to list repositories:

oc login -u user

curl -v -u unused:$(oc whoami -t) https://<registry_server>:<port>/v2/_catalog?n=100  

Add the OpenShift registry

  1. In the Container Security UI, go to Assets > Registries and click New Registry.  
  2. Select Docker V2-Private from the Registry Type menu.
  3. Provide the OpenShift URL in the URL field.
  4. Provide the service account credentials under Authentication.  
  5. Click Next to define a registry scan schedule or on demand scan. For help with scan settings, see Configure Scan Settings.

You can also use the Container Security API to add a registry. See the Container Security API User Guide for details.