Scanning container images from private AWS Elastic Container Registry (ECR) in K8s

Deepfactor provides helm charts that install a mutating admission webhook and one or more scan pods in your K8s cluster. Deepfactor can automatically scan container images used by pods in your K8s cluster and also observe running containers for runtime security vulnerabilities. Deepfactor can also correlate the results of the two.

The webhook listens to pod create events and then determines if the container images used in the application pod need to be scanned or not based upon the cluster and namespace configuration. If the container image needs to be scanned, webhook passes that information over the scan pod which then performs the actual scan of the container image. 

If you are deploying container images from private ECR in your K8s workloads, then the Deepfactor scan pod will need to authenticate with your private ECR in order to scan the image. The following document describes how you can provide Deepfactor scan pod access to your private ECR.

Create a docker config json file

Create a file named dockerconfig.json with the following contents

  "credsStore": "ecr-login"

Create a K8s secret from the docker config file

Create a K8s secret from the docker config file created in the previous step using the following command

kubectl create secret generic regcred \
  --from-file=.dockerconfigjson=dockerconfig.json  \ --namespace=df-webhook

The above command assumes that you have already created the df-webhook namespace. If not please use the following command to create the namespace before running the create secret command.

kubectl create ns df-webhook

Provide the secret in Deepfactor helm override yaml

Once you have successfully created the secret, please provide the name of the secret in the override.yaml file used in installing the Deepfactor webhook helm chart as specified below

  secretName: regcred

Install the Deepfactor webhook helm chart and Deepfactor scan pod will now be able to pull and scan images from your private ECR.

Attach NodeInstanceRole with permissions to your worker nodes

In order to enable Deepfactor scan pod to pull images, the worker nodes on which the scan pod is scheduled should have certain IAM policies. Perform the following steps to attach the required policies

  1. Follow the instructions in Using Amazon ECR Images with Amazon EKS to attach a NodeInstanceRole to your worker nodes
  2. Attach AmazonEC2ContainerRegistryReadOnly policy to your EKS worker nodes

Now the Deepfactor scan pod will be able to pull images from private ECR. 

Install Deepfactor K8s helm charts

Please follow the instructions described in the following article

Install Deepfactor Mutating Webhook



Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.