Red Hat Advanced Cluster Security for Kubernetes (RHACS) integrates with several vulnerability scanners to enable you to import your container images and watch them for vulnerabilities.
Red Hat supports the following container image registries:
Amazon Elastic Container Registry (ECR)
Generic Docker registries (any generic Docker or Open Container Initiative-compliant image registries, for example, DockerHub, gcr.io
, mcr.microsoft.com
)
Google Container Registry
Google Artifact Registry
IBM Cloud Container Registry
JFrog Artifactory
Microsoft Azure Container Registry (ACR)
Red Hat Quay
Red Hat registry (registry.redhat.io
, registry.access.redhat.com
)
Sonatype Nexus
This enhanced support gives you greater flexibility and choice in managing your container images in your preferred registry.
You can set up RHACS to obtain image vulnerability data from the following commercial container image vulnerability scanners:
RHACS Scanner (recommended)
RHACS Scanner is the preferred image vulnerability scanner to use with RHACS. For more information about scanning container images with RHACS Scanner, see Scanning images. |
If you use one of these products in your DevOps workflow, you can use the RHACS portal to configure an integration with your vulnerability scanner. After the integration, the RHACS portal shows the image vulnerabilities and you can triage them easily.
You can integrate Red Hat Advanced Cluster Security for Kubernetes with CoreOS Clair for the static analysis of vulnerabilities in your images.
On the RHACS portal, navigate to Platform Configuration → Integrations.
Under the Image Integrations section, select CoreOS Clair.
Click New integration.
Enter the details for the following fields:
Integration name: The name of the integration.
Endpoint: The address of the scanner.
(Optional) If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
(Optional) Select Test to test that the integration with the selected registry is working.
Select Save.
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Google Container Registry (GCR) for container analysis and vulnerability scanning.
You must have a service account key for the Google Container Registry.
The associated service account has access to the registry. See Configuring access control for information about granting users and other projects access to GCR.
If you are using GCR Container Analysis, you have granted the following roles to the service account:
Container Analysis Notes Viewer
Container Analysis Occurrences Viewer
Storage Object Viewer
On the RHACS portal, navigate to Platform Configuration → Integrations.
Under the Image Integrations section, select Google Container Registry.
The Configure image integration modal box opens.
Click New Integration.
Enter the details for the following fields:
Integration Name: The name of the integration.
Types: Select Scanner.
Registry Endpoint: The address of the registry.
Project: The Google Cloud project name.
Service Account Key (JSON) Your service account key for authentication.
Select Test (checkmark
icon) to test that the integration with the selected registry is working.
Select Create (save
icon) to create the configuration.
You can integrate Red Hat Advanced Cluster Security for Kubernetes with Quay Container Registry for scanning images.
You must have an OAuth token for authentication with the Quay Container Registry to scan images.
On the RHACS portal, navigate to Platform Configuration → Integrations.
Under the Image Integrations section, select Red Hat Quay.io.
Click New integration.
Enter the Integration name.
Under Type, select Scanner. (If you are also integrating with the registry, select Scanner + Registry.) Enter information in the following fields:
Endpoint: Enter the address of the registry.
OAuth token: Enter the OAuth token that RHACS uses to authenticate by using the API.
Optional: Robot username: If you are configuring Scanner + Registry and are accessing the registry by using a Quay robot account, enter the user name in the format <namespace>+<accountname>
.
Optional: Robot password: If you are configuring Scanner + Registry and are accessing the registry by using a Quay robot account, enter the password for the robot account user name.
Optional: If you are not using a TLS certificate when connecting to the registry, select Disable TLS certificate validation (insecure).
Optional: To create the integration without testing, select Create integration without testing.
Select Save.
If you are editing a Quay integration but do not want to update your credentials, verify that Update stored credentials is not selected. |