Onboarding Container Registries

In CloudGuard, each onboarded Container Registry must link to a KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster that must have Image Assurance enabled. To make this link, use one of your existing Kubernetes clusters or onboard a new cluster along with the Container Registry. After it, the Image Scan agents on the cluster can scan your Container Registry. The linked cluster is called a hosting cluster.


  • You must have a Kubernetes cluster onboarded to CloudGuard before you scan your container registry.

  • Before onboarding your Container Registry to CloudGuard, select an authentication method based on your registry type:


To onboard a Container Registry to CloudGuard:

CloudGuard opens the onboarded registry. In the Scanning Clusters tab, see the current status of the registry and the cluster that scans it.

The related Kubernetes cluster page contains information on the registries that the cluster scans, from the list on Blades > Image Assurance > Image Scan Engine agent.

EKS Node Group Role for Amazon ECR

The worker node running on your hosting cluster needs the IAM permissions to access the ECR. Kubernetes clusters created with automation like EKS ETL have these permissions by default. Kubernetes clusters created manually may not have the permissions, so you have to add them.

To verify the cluster configuration:

  1. Open the Amazon Elastic Kubernetes Service console at https://console.aws.amazon.com/eks/home#/clusters.

  2. Select the cluster to use as a hosting cluster.

  3. From the Compute tab, add a new node group or select an existing one.

  4. In the Node group configuration, for the Node IAM role, select eksNodeGroup and continue to configure the node group as usual.

  5. When you click Create, the new node group opens. Below the Node IAM role ARN, click the ARNClosed Amazon Resource Names (ARNs) uniquely identify AWS resources. They are required to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls. link.

  6. In the Permissions tab, review the Permissions policies. By default, the node has AmazonEKSWorkerNodePolicy and AmazonEKS_CNI_Policy.

    Find the policy with the name AmazonEC2ContainerRegistryReadOnly.

    • If you have AmazonEC2ContainerRegistryReadOnly, the permissions are correct, and you can continue with the Container Registry Onboarding Wizard.

    • If you do not have AmazonEC2ContainerRegistryReadOnly, click Add permissions > Attach policies, enter the name in the filter string and select it.


On the existing hosting clusters, the CloudGuard agent automatically updates with the configuration of the newly linked container registries.

The CloudGuard agent on the hosting cluster constantly reports the status of all its registry environments to the CloudGuard portal.

To validate the container registry status:

  1. In CloudGuard, go to Assets > Environments and find the onboarded Container Registry environment.

  2. Click the asset to enter its page.

  3. Make sure that the Scanning Clusters status is green.

  4. Click the pen icon to view the hosting cluster name and authentication parameters.

More Links