Kaspersky Container Security
2.0
English

Contents

Specifying secrets when starting a scan

When starting a scan job in the CI/CD process, the registry containing the scanner image (the lite or with-db scanner for the corresponding version of Kaspersky Container Security) can be accessible only after authorization. For authorization, you can pass the required secrets in the scan job.

To be authorized for access to the registry when starting a scan job:

  1. Create a secret:

    kubectl create secret docker-registry ci-creds --docker-server=client.repo.example.com --docker-username=username --docker-password=password

  2. In the scan job, specify the value of the imagePullSecrets variable:

    imagePullSecrets:

    - name: ci-creds

  3. Start the scan job.

    Example of a scan job with secrets for authorization

    kind: Job

    metadata:

    name: my-job

    spec:

    template:

    spec:

    containers:

    - name: my-container

    image: client.repo.example.com/scanner:master

    command: ["/bin/sh"]

    args: ["entrypoint.sh", "apline:latest"]

    env:

    - name: COMPANY_EXT_REGISTRY_USERNAME

    value: another_username

    - name: COMPANY_EXT_REGISTRY_PASSWORD

    value: another_password

    - name: API_BASE_URL

    value: https://some.kcs.env.example

    - name: API_TOKEN

    value: kcs_blablabla

    - name: SKIP_API_SERVER_VALIDATION

    value: 'true'

    imagePullPolicy: Always

    restartPolicy: Never

    imagePullSecrets:

    - name: ci-creds

    backoffLimit: 0

In this example, the scan job contains the following secrets:

  • The secret for downloading the scanner image (specified in the imagePullSecrets variable).
  • The password for downloading the image to be scanned if access to the relevant registry is restricted (specified in the COMPANY_EXT_REGISTRY_PASSWORD variable).

You can omit these passwords if the registry that the solution gains access to when running a scan job is accessible without authorization.

Page top
[Topic 281598]