Setting up integration with external image registries

Kaspersky Container Security can scan images from the following external image registries:

• Harbor
• GitLab Registry
• JFrog Artifactory
• Sonatype Nexus Repository OSS
• Yandex Registry
• Docker Hub
• Docker Registry

  Integration with Docker Registry requires support of the Docker Registry V2 API on the external registry server side.

• Red Hat Quay
• Amazon Elastic Container Registry

You need to configure the integration of the solution with external registries so that the solution can scan images from external registries. Images from registries integrated with Kaspersky Container Security can be scanned automatically or manually, depending on the configured image pulling and scanning settings for each registry.

Minimum sufficient rights for integration with registries

To integrate with external image registries, a Kaspersky Container Security account must have a certain set of rights, which differs depending on the registry type. The list of the minimum account rights required for integration is given below for each registry type.

GitLab

To integrate the solution with a GitLab user's registry, you should define the parameter values as follows:

• User role in the project or group: Reporter.
• Level of access to the project: Reporter.
• Rights assigned to the user token: read_api, read_registry.

JFrog Artifactory

To integrate the solution with a JFrog user's registry, you should define the parameter values as follows:

• User role in the project or group: Manage Reports.
• Project access: Can Update Profile.
• User rights: the right to read any repository (ANY repository).

Harbor

To integrate the solution with a Harbor user's registry, you should define the parameter values as follows:

• Member type: user. To do this, specify User in the Member Type column of the table in the Projects → Members section.
• User role in the project or group: user with limited rights. To do this, you must specify Guest in the Role column of the table in the Projects → Members section.
• User rights: user without administrator rights. To do this, you must select No in the Administrator column of the table in the Users section.

Nexus

To integrate the solution with a Nexus user's registry, you should define the parameter values as follows:

• User role in the project or group: user.
• Rights assigned to the user role in the project or group: nx-apikey-all, nx-repository-view-docker-*-browse, nx-repository-view-docker-*-read.

Docker Hub

The solution integrates with a Docker Hub user's registry after authorization using the user name and password.

This Docker Hub registry integration option only applies to a personal namespace.

RedHat Quay

To integrate the solution with a RedHat Quay user's registry, the following rights and permissions are required:

• User permissions for correct operation of the Test Connection functionality: user with the Administer Organization permissions.
• View all visible repositories permissions.
• Read/Write to any accessible repositories permissions.

Yandex

To integrate the solution with a Yandex user's registry, you should define the parameter values as follows:

• User role in the project or group: container-registry.viewer.
• Permissions given to a user role in a project or group: view container registries.

Amazon Elastic Container Registry

To integrate the solution with an Amazon Elastic Container Registry user's registry, you should define the parameter values as follows:

• AWS policy for accessing a project or group: AmazonEC2ContainerRegistryReadOnly.
• Permissions given to a user role in a project or group: view and read.

Working with public registries without authorization

Kaspersky Container Security 2.0 does not work with public registries without authorization. For example, you cannot use the solution to scan images when Docker Hub is accessed anonymously.

If you do not authorize in public registries, you can use such image registries in a cluster, add them to Kaspersky Container Security and manually assign them to a specific scope. If the scope includes only one or several public registries in which you are not authorized, and you try to add an image in the Resources → Registries section, the solution displays an error indicating that it is impossible to add images because the solution has no registry integration.

Adding integrations with external image registries

Integrated registries support only local image repositories that directly contain the images. In version 2.0, Kaspersky Container Security does not support working with remote or virtual repositories.

To add an integration with an external registry:

1. In the Administration → Integrations → Image registries section, click the Add registry button.

   The integration settings window opens.

2. On the Registry details tab, specify the settings for connection to the registry:
   1. Enter the name of the registry.
   2. If required, enter a description of the registry.
   3. Select the registry type from the drop-down list. Kaspersky Container Security supports the following types of registries:
      • Harbor (integration using the Harbor V2 API).
      • GitLab Registry (integration using the GitLab Container Registry API).
      • JFrog Artifactory (integration using the JFrog API).
      • Sonatype Nexus Repository OSS (integration using the Nexus API).
      • Yandex Registry (integration using the Yandex Container Registry API).
      • Docker Hub (integration using the Docker Hub API).
      • Docker Registry (integration using the Docker Registry V2 API).
      • Red Hat Quay (integration using the Red Hat Quay API).
      • Amazon Elastic Container Registry (integration using the Amazon Elastic Container Registry API).

      The Docker Registry can be accessed using the Docker Registry V2 API if you configure integration with the Sonatype Nexus Repository OSS, Harbor, JFrog Artifactory (using a port or a subdomain), or Yandex Registry. Integrations with GitLab Registry, Docker Hub, and JFrog Artifactory (via Repository Path) are not supported.

   4. If you set up a JFrog Artifactory registry integration, select one of the following methods in the Repository Path method drop-down list to access Docker:
      • Repository path.
      • Subdomain.
      • Port.
   5. If you configure integration with the Sonatype Nexus Repository OSS registry, select the pull mode: Tagged images or All images. If All images mode is selected, the solution pulls all registry images regardless whether they have or lack tags. Untagged images are displayed with the build hash.
   6. If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, Sonatype Nexus Repository OSS, Docker Registry, or Red Hat Quay, enter the full URL of the registry that directly points to the container registry. We recommend that you use HTTPS connection (HTTP connection is also supported).

      If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.

   7. If you configure an integration with a registry such as JFrog Artifactory, Harbor, GitLab Registry, and Sonatype Nexus Repository OSS, or Red Hat Quay, enter the full URL that points to the registry API.
   8. Select an authentication method and specify the necessary data for it as follows:
      • If you configure an integration with such registry as GitLab Registry, select authentication using an account or an access token.
      • If you configure an integration with such a registry as Yandex Registry, select authentication using an API key (Yandex OAuth token) or using a user name and token. Specify oauth for the user name when using the Yandex OAuth token, or iam when using the Yandex IAM token.
      • For such registries as Sonatype Nexus Repository OSS and Docker Hub, authentication is performed only with an account.
      • For such a registry as Harbor, authentication is only permitted with an account of a user or a robot.
      • For such a registry as Docker Registry, authentication is only conducted using a user name and password, which are provided by the Docker V2 API.
      • For Red Hat Quay registries, organization name and access token is the only authentication method. Specify these parameters in the Organization name and OAuth token fields.
      • For Amazon Elastic Container Registries, you can authenticate by specifying the region, Access key ID, and Secret access key .

        In the Region field, you must specify one of the Amazon Web Services regions (for example, us-west-2 or us-east-2).

        For Access key ID and Access key settings, you must specify values that you can get using the AWS management console.

3. Go to the Repository caching tab and use the Disabled/Enabled toggle switch to enable repository caching if necessary. If caching is disabled, repositories and images in the Registry section are displayed only if the Search field is used. If caching is enabled, the solution displays the list of available repositories and images. By default, repository caching is disabled.

   Enabling repository caching may impact the performance of Kaspersky Container Security.

4. Go to the Image scan details tab and specify the following image scan settings:
   • Scan timeout in minutes for images from this registry. The default scan timeout is 60 minutes.

     If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.

     Image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.

     If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:

     • Scan interval (days) is the interval in days of image pulling from the registry for scanning. The default setting is 1 day.
     • Scan time (GMT) is the time when the images in the registry were scanned.
     • If necessary, select the check box to re-scan previously pulled images whenever new images are scanned.
     • If necessary, under Advanced settings, select the Name / tag criteria check box to use image name or tag patterns to specify which images you want to be pulled and scanned. If you select the check box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.

       You can use the following patterns:

       • by image name and tag – <name><:tag>
       • by image name only – <name>
       • by image tag only – <:tag>

       For example:

       • for the alpine pattern, all images with the name "alpine" are pulled, regardless of the tag;
       • for the 4 pattern, all images with tag 4 are pulled, regardless of the image name;
       • for the alpine:4 pattern, all images with the name "alpine" and tag 4 are pulled.

       When generating patterns, you can use the * character, which replaces any number of characters.

       You can add one or more patterns.

     • Select one of the additional conditions for pulling images:
       • If no additional conditions are required, select No additional conditions.
       • If you want to pull only images created within a specific time frame, select this option and in the fields to the right, specify the duration of the period and the unit of measure. By default, the period is 60 days long.
       • If you want to pull only images with the latest tags, counting from the date when the image was created, select this option and in the field to the right, specify how many of the latest tags from each repository you want to be taken into account.
     • If necessary, under Exceptions, select or clear check boxes to specify exceptions for image pulling:
       • Never pull images with the name/tag pattern - using image name/tag patterns you can specify, which images are excluded from pulling and scanning.
       • Always pull images with the name/tag pattern—using image name/tag patterns you can specify, which images are always pulled and scanned, regardless of other conditions set above.
5. Click Test connection to see if a connection with the registry can be established.
6. Click the Save button in the top of the window to save the registry integration settings.

Example of Red Hat Quay registry integration settings

Viewing information about integrations with registries

You can view a table with the list of all registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

The table displays the following information about integrated registries:

• Name of the image registry integration
• Description, if one was specified when creating the integration with the image registry
• The type of the connected registry.
• Registry URL
• Status of the last connection with the image registry: Success or Error. If Error is displayed, the solution also displays a brief description of the connection error.

In the table, you can:

• Add new registry integrations. Click Add registry above the table to open the integration settings window.
• View and modify registry integration settings, including image pull and scan settings. You can open the editing window by clicking the registry name link.

  In this window, you can also click Test connection to see if a connection with the registry can be established.

• Delete integrations with registries.

Deleting integration with external registry

To delete an integration with an external registry:

1. In the Administration → Integrations → Image registries section, select the integration you want to delete by selecting the check box in the row with the registry name. You can select one or more integrations.
2. Click Delete above the table.

   The Delete button becomes enabled after you select one or more integrations.

3. In the window that opens, confirm the deletion.

Kaspersky Container Security does not scan images from a registry it is no longer integrated with.

Harbor integration

Integration of Kaspersky Container Security with the external Harbor registry can be performed in two ways:

• In the same way as integration with other external registries
• Upon the request of the external Harbor registry

Harbor views the solution as an additional external scanner to scan objects for vulnerabilities. Integration with Kaspersky Container Security is configured using the Harbor scanner plugin. The solution names this automatically created image registry as Harbor External Integration and marks the repository in which it is located with the Harbor icon ().

This integration remains the only automatically created integration with Harbor, and the name assigned to the image registry cannot be changed.

To start the Harbor scan process, you need to know the endpoint of the Kaspersky Container Security API.

To create an integration by Harbor request it is required to have rights to view and configure scanning in CI/CD. If these rights are absent, Harbor will not be able to connect the solution as a scanner and scan objects as part of the CI/CD process.

Creating an integration upon Harbor request

To create registry integration by Harbor request, you must have a Harbor account with administrator rights, as well as rights to view and configure scanning in CI/CD in Kaspersky Container Security. If these rights are not available, Harbor will not be able to connect the solution as a scanner.

To create a Harbor integration upon Harbor request:

1. From the main menu in the left pane of the Harbor web interface, select Administration → Interrogation Services.
2. Click the New Scanner button.
3. Enter the following information:
   • The unique name of the solution integration to be displayed in the Harbor interface.
   • If necessary, a description of the external scanner that is being added.
   • The address of the Kaspersky Container Security API endpoint displayed by Harbor.
4. In the Authorization drop-down list, select APIKey as the authorization method when connecting the registry to the solution.
5. In the APIKey field, enter the value of the API token.

   If the API token changes, you must specify its new value before starting the Harbor scan. If a new API token is not added to the external scanner settings in Harbor, the scan fails.

6. Select the Skip certificate verification check box to skip certificate verification.
7. If necessary, click Test Connection to verify that Harbor can connect to the solution.
8. Click Add to create the integration.

In the list of available scanners under Administration → Interrogation Services → Scanners, Harbor shows the name assigned to the solution in the Harbor.

The new scanner is used for scanning objects if it is specified as the default scanner in Harbor or assigned to the project. Both options require additional configuration in Harbor.

After scanning is started, an integration with the solution upon Harbor request is created in the external registry. Kaspersky Container Security displays the created Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section. The repository containing images from the external registry is marked with the Harbor icon (). Harbor External Integration is updated after starting and running another scan in the external registry.

You cannot add an image to an automatically created registry of images from Harbor by using the Add images button in the management console.

Harbor External Integration scans can be manually initiated or automatically started from the external registry. You cannot start scanning or rescanning images from the Harbor automatically created image registry in Kaspersky Container Security.

The Harbor External Integration registry (as well as the registry created as part of the standard integration with Harbor) is scanned in line with the applicable scanner policy.

At the end of the scan, the solution generates a report on vulnerabilities found during scanning of selected objects and sends it to Harbor. If sending a report takes more than five seconds (for example, because of the quality of the network connection), an error in receiving scan results is displayed in the external registry interface.

Viewing and editing the Harbor External Integration settings

The Harbor External Integration image registry is displayed in the list of registries integrated with Kaspersky Container Security in the Administration → Integrations → Image registries section.

To change the Harbor External Integration settings:

1. Select the Harbor External Integration registry in the list of image registries in the Administration → Integrations → Image registries section.
2. Specify the values of the following configurable settings:
   • Description on the Registry details tab.
   • Scan timeout on the Image scan details tab.

   You cannot change other Harbor External Integration registry details.

3. Click Save.

Rescanning

After receiving the scan results, objects from the Harbor External Integration registry cannot be sent for rescanning from Kaspersky Container Security. Rescanning can only be initiated from Harbor.

If you create an integration with Harbor from Kaspersky Container Security and the created image registry is similar to Harbor External Integration, the following rules are applied to rescanning:

• Scanning objects in the registry created in the solution does not trigger a rescan in Harbor External Integration.
• Scanning objects in Harbor External Integration does not trigger a rescan in the registry created in the solution.