Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on AWS Fargate

Deepfactor provides helm charts that install a mutating admission webhook and one or more scan pods in your K8s cluster. Deepfactor can automatically scan container images used by pods in your K8s cluster and also observe running containers for runtime security vulnerabilities. Deepfactor can also correlate the results of the two.

The webhook listens to pod create events and then determines if the container images used in the application pod need to be scanned or not based upon the cluster and namespace configuration. If the container image needs to be scanned, webhook passes that information over the scan pod which then performs the actual scan of the container image. If you are deploying container images from private ECR in your Amazon EKS workloads, then the Deepfactor scan pod will need to authenticate with your private ECR in order to scan the image.

If you are using EKS to run workloads on EC2 machines from private ECR, then please refer to

Scanning container images from private AWS Elastic Container Registry (ECR) in EKS on EC2

The following document describes how you can provide Deepfactor scan pod access to your private ECR when your workloads are running on AWS Fargate using EKS.

Create a K8s secret for registry credentials #

In this section, we will create a K8s secret that will be passed to the Deepfactor scan pod to indicate that container images are hosted on private ECR.

Create a docker config json file

Create a file named dockerconfig.json with the following contents

{
  "credsStore": "ecr-login"
}

#

Create a K8s secret from the docker config file

Create a K8s secret from the docker config file created in the previous step using the following command

kubectl create secret generic regcred \
  --from-file=.dockerconfigjson=dockerconfig.json \
  --type=kubernetes.io/dockerconfigjson --namespace=df-webhook

The above command assumes that you have already created the df-webhook namespace. If not please use the following command to create the namespace before running the create secret command.

kubectl create ns df-webhook

#

#

Create a service account with required IAM policies #

Creating an IAM OIDC provider for your cluster

Follow the steps in the below AWS article. You need to perform this step only once per K8s cluster.

Creating an IAM OIDC provider for your cluster

Configuring a K8s service account to assume an AWS IAM role

In this step, we will create a K8s service account for Deepfactor and allow that service account to assume an IAM role.

eksctl create iamserviceaccount --name df-service-account \
--namespace df-webhook --cluster YOUR_K8s_CLUSTER_NAME \
--role-name "df-webhook-role" \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
--approve --override-existing-serviceaccounts

Please replace YOUR_K8s_CLUSTER_NAME with the name of your EKS Fargate cluster.

where

df-service-account is the name of the service account that will be created

df-webhook-role is the name of the IAM role that will be created

AmazonEC2ContainerRegistryReadOnly is the AWS managed policy that provides read only access to your ECR

You can read more about this here.

#

Provide the service account & secret name in Deepfactor helm override parameters #

Please provide the name of the K8s secret & service account created in the above steps in the override.yaml file used in installing the Deepfactor webhook helm chart as specified below

staticscan:
  secretName: regcred
  serviceAccountName: df-service-account

Install the Deepfactor webhook helm chart and Deepfactor scan pod will now be able to pull and scan images from your private ECR.

#

Install Deepfactor K8s helm charts #

Please follow the instructions described in the following article

Install Deepfactor Mutating Webhook