Onboarding Azure Container Registry
To configure container registry scanning of an Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Container Registry A collection of repositories used to store and access container images. (ACR), you need to onboard the registry to CloudGuard.
Prerequisites
Before onboarding your Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry for scanning with a Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. scanner, select an authentication method:
-
Service Principal - A user identity for applications, hosted services, and automated tools to access Azure resources. This option lets CloudGuard scan Azure Container Registries from linked clusters not necessarily in Azure.
-
Managed Identity - An identity for applications to access resources that support Microsoft Entra ID authentication. This option allows CloudGuard to scan Azure Container Registries from Azure clusters in the same tenant.
|
Note - Only Azure Service Principal authentication is available for onboarding with an ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner. |
Onboarding
To onboard a Container Registry to CloudGuard:
-
In the CloudGuard portal, navigate to Asset > Environments.
-
From the top menu, select Add > Container Registry and follow the setup steps.
-
In the Container Registry Onboarding wizard, enter the registry details:
-
Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard.
-
Environment Description - Optionally, enter a description.
-
Select an Organizational Unit.
-
Select the type of environment to host your scanner - Kubernetes or AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. ECS Scanner.
-
Select a Kubernetes cluster or an AWS environment on which you can run the registry scanner:
-
For Kubernetes, select from the list of clusters with enabled Image Assurance. For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.
-
For AWS, select from the list of all AWS environments onboarded to CloudGuard.
-
-
Choose Registry type - Select Azure Container Registry (ACR).
-
Registry URI - Enter the approved endpoint name of your Azure Registry in
<acrName>.azurecr.io
format. -
Authentication Method - For more information, see the Azure documentation in More Links.
-
Azure Service Principal
-
Pull Secret Name - Create an image pull secret in the same namespace where the Image Assurance agents are deployed and enter it in this field.
Make sure that the
<secret-name>
is a valid Kubernetes name. For more details, see the Kubernetes Documentation.To create the secret, run:
Copykubectl create secret docker-registry <secret-name> \
--namespace <namespace> \
--docker-server=<container-registry-name>.azurecr.io \
--docker-username=<service-principal-ID> \
--docker-password=<service-principal-password> -
Tenant ID - Enter your Azure AD tenant ID.
To get the tenant ID, run:
Copyaz account list --query [].tenantId --output tsv
-
-
Azure Managed User Identity
-
Application client ID - Enter the ID.
To get the Application client ID, run:
az aks show --resource-group <resource-group> --name <cluster-name>
--query identityProfile.kubeletidentity.clientId --output tsv
Note - Make sure that the role has the permissions to pull from the registry (AcrPull). For this, use the
check-acr
command (see https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-check-acr).
-
-
-
-
Click Next to continue with Cluster Configurations.
In this step, you configure the CloudGuard Service Account credentials if in Step 1 you selected to onboard with a new cluster or with the existing cluster that requires an agent update.
For onboarding with the hosting cluster that has updated agents, this step is skipped.
-
Configure a Service Account by one of these methods:
-
Select an existing Service Account with its corresponding API Key.
-
Enter a Service Account manually.
-
Click Add Service Account to create a new account.
-
-
Click Next to continue to the next step.
This step appears when you select to associate the registry with a new cluster or with an existing cluster that requires an agent update. CloudGuard instructs you how to install Image Assurance agents or to update them to the latest version on the cluster.
For onboarding with the hosting cluster that has updated agents, this step is skipped.
CloudGuard shows the details of your new registry and its related cluster.
-
Follow the on-screen instructions to copy the Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. commands and run them on your cluster with Helm 3.
-
Click Next.
CloudGuard shows the full details of your new registry and its related cluster. If your registry onboarding includes onboarding or updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.
For more information on the cluster onboarding summary, see STEP 4 - Onboarding Summary.
-
Wait for the deployment completion based on the Cluster and Agent Status or click Finish to skip the process.
Follow the on-screen instructions to use the provided CloudFormation Template and launch the CFT for the ECS scanner.
-
Select to use a new ECS cluster or an existing one.
-
Use the URL to review the CloudFormation Template.
-
Open the AWS Secrets Manager and click Secrets.
-
Click Store a new secret to create an image pull secret with:
-
Secret type: Other type of secret
- Key: <ACR_URI>
-
Value: <service-principal-ID>: <service-principal-password>
-
-
Open the image pull secret and copy Secret ARN from Secret details. You need this ARN Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. in step 6g.
-
In the CloudGuard wizard, click the link in step 4 to start the CloudFormation Stack Creation Process in your AWS account:
-
On the Stacks page, click Create stack.
-
In Step 1 Create stack, for Prepare template, select Choose an existing template.
-
For Template source, select Amazon S3 URL.
-
In the Amazon S3 URL field, paste the URL you copied in step 2 and click Next.
-
In Step 2 Specify stack details, enter a name for the stack.
-
In Parameters > CloudGuard, paste these details copied from step 5 of the CloudGuard wizard:
-
Environment ID
-
CloudGuard API Key ID
-
CloudGuard API Key Secret
Optionally, you can configure a proxy server and enter these details for the proxy address and proxy bypass:
-
Optional - HTTPS Proxy address - Enter an HTTPS address for a network proxy server
-
Optional - Proxy bypass list - Enter one or more addresses that should bypass the proxy
-
-
In AWS, enter these details:
-
Subnet - Select a subnet.
-
Optional - Registry Secret ARN - Enter the ARN of the secret created in step 3.
-
Optional - Custom CA Certificates ARN - see Certificate for AWS ECS Scanner.
-
-
-
After the creation of the stack, click Finish.
CloudGuard opens the onboarded registry. For onboarding validation, see the Scanners tab that shows the status of the registry and its scanning environment (cluster or AWS ECS).
For registries with the Kubernetes scanner, the related Kubernetes cluster page shows information about the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.
-
Azure documentation:
-
How to use Service Principal credentials for image pull secret
-
How to find the Microsoft Entra tenant ID
-
How to get the Application client ID (Configuring ACR Integration)
-