Deepfactor provides helm charts that install a mutating admission webhook and one or more scan pods in your K8s cluster. Deepfactor can automatically scan container images used by pods in your K8s cluster and also observe running containers for runtime security vulnerabilities. Deepfactor can also correlate the results of the two.
The webhook listens to pod create events and then determines if the container images used in the application pod need to be scanned or not based upon the cluster and namespace configuration. If the container image needs to be scanned, webhook passes that information over the scan pod which then performs the actual scan of the container image.
If you are deploying container images from private registries in your K8s workloads, then the Deepfactor scan pod will need to authenticate with your private registry in order to scan the image.
The following document describes how you can provide Deepfactor scan pod access to your private registries that support basic authentication. If you are using Azure Container Registry, Google container registry, Docker Hub container registry, Harbor or any Docker Registry HTTP API V2 or OCI Distribution Specification compliant registries, please use these instructions to specify the registry credentials.
Create dockerconfig.json file #
Create a dockerconfig.json file with the auth details of the private registries you are pulling images from in your K8s cluster. Generally these details are stored in $HOME/.docker/config.json file. A sample dockerconfig.json file is shown below:
{
"auths": {
// GCR
"gcr.io": {
"auth": "BASE64-ENCODED-AUTH-DETAILS"
},
// ACR
"yourdomain.azurecr.io": {
"auth": "BASE64-ENCODED-AUTH-DETAILS"
},
// Other private registries
"registry1": {
"auth": "BASE64-ENCODED-AUTH-DETAILS"
},
"registry2": {
"auth": "BASE64-ENCODED-AUTH-DETAILS"
}
}
}
Note: If you have the username and password of your registry, then you can get the BASE64-ENCODED-AUTH-DETAILS by using the following command and insert into the dockerconfig.json as shown in the sample above.
echo -n 'username:password' | base64
where:
username is the user name you use to login to the container registry
password is the password you use to login to the container registry
Create a K8s secret from the docker config file #
Create a K8s secret from the docker config file created in the previous step using the following command
kubectl create secret generic regcred \ --from-file=.dockerconfigjson=dockerconfig.json \ --type=kubernetes.io/dockerconfigjson --namespace=df-webhook
The above command assumes that you have already created the df-webhook namespace. If not please use the following command to create the namespace before running the create secret command.
kubectl create ns df-webhook
Provide the secret in Deepfactor helm override yaml #
Once you have successfully created the secret, please provide the name of the secret in the override.yaml file used in installing the Deepfactor webhook helm chart as specified below
staticscan: secretName: regcred
Now the Deepfactor scan pod will be able to pull images from your private registries.
Install Deepfactor K8s helm charts #
Please follow the instructions described in the following article