Adding integrations with external image registries
Integrated registries support only local image repositories that directly contain the images. In version 2.0, Kaspersky Container Security does not support working with remote or virtual repositories.
To add an integration with an external registry:
- In the Administration → Integrations → Image registries section, click the Add registry button.
The integration settings window opens.
- On the Registry details tab, specify the settings for connection to the registry:
- Enter the name of the registry.
- If required, enter a description of the registry.
- Select the registry type from the drop-down list. Kaspersky Container Security supports the following types of registries:
- Harbor (integration using the Harbor V2 API).
- GitLab Registry (integration using the GitLab Container Registry API).
- JFrog Artifactory (integration using the JFrog API).
- Sonatype Nexus Repository OSS (integration using the Nexus API).
- Yandex Registry (integration using the Yandex Container Registry API).
- Docker Hub (integration using the Docker Hub API).
- Docker Registry (integration using the Docker Registry V2 API).
- Red Hat Quay (integration using the Red Hat Quay API).
- Amazon Elastic Container Registry (integration using the Amazon Elastic Container Registry API).
The Docker Registry can be accessed using the Docker Registry V2 API if you configure integration with the Sonatype Nexus Repository OSS, Harbor, JFrog Artifactory (using a port or a subdomain), or Yandex Registry. Integrations with GitLab Registry, Docker Hub, and JFrog Artifactory (via Repository Path) are not supported.
- If you set up a JFrog Artifactory registry integration, select one of the following methods in the Repository Path method drop-down list to access Docker:
- Repository path.
- Subdomain.
- Port.
- If you configure integration with the Sonatype Nexus Repository OSS registry, select the pull mode: Tagged images or All images. If All images mode is selected, the solution pulls all registry images regardless whether they have or lack tags. Untagged images are displayed with the build hash.
- If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, Sonatype Nexus Repository OSS, Docker Registry, or Red Hat Quay, enter the full URL of the registry that directly points to the container registry. We recommend that you use HTTPS connection (HTTP connection is also supported).
If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.
- If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, and Sonatype Nexus Repository OSS, or Red Hat Quay, enter the full URL that points to the registry API.
- Select an authentication method and specify the necessary data for it as follows:
- If you configure an integration with such registry as GitLab Registry, select authentication using an account or an access token.
- If you configure an integration with such a registry as Yandex Registry, select authentication using an API key (Yandex OAuth token) or using a user name and token. Specify oauth for the user name when using the Yandex OAuth token, or iam when using the Yandex IAM token.
- For such registries as Sonatype Nexus Repository OSS and Docker Hub, authentication is performed only with an account.
- For such a registry as Harbor, authentication is only permitted with an account of a user or a robot.
- For such a registry as Docker Registry, authentication is only conducted using a user name and password, which are provided by the Docker V2 API.
- For Red Hat Quay registries, organization name and access token is the only authentication method. Specify these parameters in the Organization name and OAuth token fields.
- For Amazon Elastic Container Registries, you can authenticate by specifying the region, Access key ID, and Secret access key .
In the Region field, you must specify one of the Amazon Web Services regions (for example, us-west-2 or us-east-2).
For Access key ID and Access key settings, you must specify values that you can get using the AWS management console.
- Go to the Repository caching tab and use the Disabled/Enabled toggle switch to enable repository caching if necessary. If caching is disabled, repositories and images in the Registry section are displayed only if the Search field is used. If caching is enabled, the solution displays the list of available repositories and images. By default, repository caching is disabled.
Enabling repository caching may impact the performance of Kaspersky Container Security.
- Go to the Image scan details tab and specify the following image scan settings:
- Scan timeout in minutes for images from this registry. The default scan timeout is 60 minutes.
If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.
Image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.
If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:
- Scan interval (days) is the interval in days of image pulling from the registry for scanning. The default setting is 1 day.
- Scan time (GMT) is the time when the images in the registry were scanned.
- If necessary, select the check box to re-scan previously pulled images whenever new images are scanned.
- If necessary, under Advanced settings, select the Name / tag criteria check box to use image name or tag patterns to specify which images you want to be pulled and scanned. If you select the check box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.
You can use the following patterns:
- by image name and tag – <name><:tag>
- by image name only – <name>
- by image tag only – <:tag>
For example:
- for the
alpinepattern, all images with the name "alpine" are pulled, regardless of the tag; - for the
4pattern, all images with tag 4 are pulled, regardless of the image name; - for the
alpine:4pattern, all images with the name "alpine" and tag 4 are pulled.
When generating patterns, you can use the * character, which replaces any number of characters.
You can add one or more patterns.
- Select one of the additional conditions for pulling images:
- If no additional conditions are required, select No additional conditions.
- If you want to pull only images created within a specific time frame, select this option and in the fields to the right, specify the duration of the period and the unit of measure. By default, the period is 60 days long.
- If you want to download only images with the latest tags, counting from the date when the image was created, select this option and in the field to the right, specify how many of the latest tags from each repository you want to be taken into account.
- If necessary, under Exceptions, select or clear check boxes to specify exceptions for image pulling:
- Never pull images with the name/tag pattern - using image name/tag patterns you can specify, which images are excluded from pulling and scanning.
- Always pull images with the name/tag pattern—using image name/tag patterns you can specify, which images are always pulled and scanned, regardless of other conditions set above.
- Scan timeout in minutes for images from this registry. The default scan timeout is 60 minutes.
- Click Test connection to see if a connection with the registry can be established.
- Click the Save button in the top of the window to save the registry integration settings.