Onboarding Google Artifact Registry

CloudGuard lets you onboard two types of registries on the Google Cloud Platform:

This topic describes how to onboard your GAR to CloudGuard.

Prerequisites

Note - The option of GKE internal authentication is not supported if GKE is configured with Workload Identity.

Onboarding

To onboard a Container Registry to CloudGuard:

  1. In the CloudGuard portal, navigate to Asset > Environments.

  2. From the top menu, select Add > Container Registry and follow the setup steps.

    Alternatively, open the hosting cluster page and click Scan Registry on the top menu.

  3. In the Container Registry Onboarding wizard, enter the registry details:

    1. Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard.

    2. Environment Description - Optionally, enter a description.

    3. Select an Organizational Unit.

    4. Select the type of environment to host your scanner - Kubernetes. Only this scanner type is available for Google Artifact Registry.

    5. Select a Kubernetes cluster on which you can run the registry scanner.

      • Select from the list of onboarded clusters with enabled Image Assurance.

      • For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.

    6. Choose Registry type - Select Google Cloud Artifact Registry (GAR)

    7. Registry URI - Enter one of the approved endpoint names of your GAR based on your region. See the list of valid regions in the Google documentation.

      Example: us-central1-docker.pkg.dev

    8. Authentication Method - Select one of the methods:

      • GCP Key

        1. Create a service account with the needed permissions (minimal required roles: roles/artifactregistry.reader and roles/browser) and generate a json key for it. To do this, open a Google Cloud Shell terminal and run the commands below. This creates a service account gcp-svc-acc with the needed permissions to access GCR and generates the file gcp-svc-acc-keyfile.json to use for an image pull secret.

          Copy 
          gcloud iam service-accounts create gcp-svc-acc

          gcloud iam service-accounts keys create gcp-svc-acc-keyfile.json --iam-account gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com

          gcloud projects add-iam-policy-binding <your_project_name> --member="serviceAccount:gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com" --role="roles/browser"

          gcloud projects add-iam-policy-binding <your_project_name> --member="serviceAccount:gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com" --role="roles/artifactregistry.reader"

        2. Pull Secret Name - Create the image pull secret on your hosting cluster under the same namespace that are used for the Image Assurance agents.

          Make sure that the <secret-name> is a valid Kubernetes name. For more details, see the Kubernetes Documentation.

          To create the secret, run:

          kubectl create secret docker-registry <secret-name> --namespace <cloudguard-namespace> --docker-server=<google-registry-uri> --docker-username=_json_key --docker-password="$(cat gcp-svc-acc-keyfile.json)"

        3. Enter the pull secret name in the CloudGuard onboarding wizard.

      • GCP GKE Internal Authentication

        To use this method, make sure the hosting cluster satisfies all the prerequisites in Prerequisites. When you select this option, no more configuration is required.

  4. Click Next to continue with Cluster Configurations.

In this step, you configure the CloudGuard Service Account credentials if in Step 1 you selected to onboard with a new cluster or with the existing cluster that requires an agent update.

For onboarding with the hosting cluster that has updated agents, this step is skipped.

  1. Configure a Service Account by one of these methods:

    • Select an existing Service Account with its corresponding API Key.

    • Enter a Service Account manually.

    • Click Add Service Account to create a new account.

  2. Click Next to continue to the next step.

This step appears when you select to associate the registry with a new cluster or with an existing cluster that requires an agent update. CloudGuard instructs you how to install Image Assurance agents or to update them to the latest version on the cluster.

For onboarding with the hosting cluster that has updated agents, this step is skipped.

CloudGuard shows the details of your new registry and its related cluster.

  1. Follow the on-screen instructions to copy the HelmClosed A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. commands and run them on your cluster with Helm 3.

  2. Click Next.

CloudGuard shows the full details of your new registry and its related cluster. If your registry onboarding includes onboarding or updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.

For more information on the cluster onboarding summary, see STEP 4 - Onboarding Summary.

  • Wait for the deployment completion based on the Cluster and Agent Status or click Finish to skip the process.

CloudGuard opens the onboarded registry. For onboarding validation, in the Scanners tab, see the status of the registry and the cluster that scans it.

The related Kubernetes cluster page shows information on the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.

More Links