Onboarding Container Registries

These are two options to scan your Container Registry in CloudGuard:

CloudGuard can scan these types of container registries:

General Workflow

To onboard a Container Registry to CloudGuard, follow these steps on the onboarding wizard:

  1. Registry Configurations - Configure the registry.

  2. Cluster Configurations - In this step, it is necessary to provide the CloudGuard Service Account credentials.

  3. Environment Configurations - In the hosting environment, select to associate the registry with a new or existing cluster. Follow the instructions to configure the environment.

  4. Onboarding Summary - For onboarding with a Kubernetes cluster only, CloudGuard shows the full details of your newly onboarded registry and its related cluster. If the process includes updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.

CloudGuard opens the onboarded registry. For onboarding validation, in the Scanners tab, see the status of the registry and the cluster that scans it.

The related Kubernetes cluster page shows information on the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.



Corrective Actions

Failed to create registry worker

  1. Make sure you created the pull secret in the same namespace where the CloudGuard agents are located.

  2. Make sure you gave the same secret name on the onboarding wizard page.

Note: If you create or update the pull secret after the agents startup, you must restart the imagescan-engine and imagescan-list pods.

Failed to authenticate

  1. Make sure the pull secret key name is correct and is created in the correct namespace.

  2. Make sure you entered correctly the username, password, and server URL in the secret definition.

Known Limitations

  • By default, CloudGuard adds to Protected Assets and scans only 10 recent images of each repository. You can change the default value with the API call (maximal number is 1000 for a JFrog Artifactory and Sonatype Nexus). For more information, see the API Reference Guide.

  • Scanning Windows container images is not supported.

  • For JFrog Artifactory, it can take about 20 minutes that the images start to show for the first time.

  • For JFrog Artifactory and Sonatype Nexus, the maximal number of tags per repository is 1000. Container images from the repositories with more than 1000 tags are neither shown as protected assets, nor scanned. The number is limited due to extensive API calls and performance considerations.

More Links