Onboarding Google Container Registry

1. In the CloudGuard portal, navigate to Asset > Environments.

2. From the top menu, select Add > Container Registry and follow the setup steps.

3. In the Container Registry Onboarding wizard, enter the registry details:

   1. Environment Name - Enter a new name for the registry or use the default name. This name allows you to identify the registry later in CloudGuard

   2. Environment Description - Optionally, enter a description.

   3. Select an Organizational Unit.

   4. Select the type of environment to host your scanner - Kubernetes or AWS ECS scanner.

   5. Select a Kubernetes cluster or an AWS environment on which you can run the registry scanner:

      • For Kubernetes, select from the list of clusters with enabled Image Assurance. For a new cluster, click Onboard a new Kubernetes Cluster and see Onboarding Kubernetes Clusters. In this case, you quit the registry onboarding and, after onboarding a new cluster, you need to start the registry onboarding from the beginning.

      • For AWS, select from the list of all AWS environments onboarded to CloudGuard.

   6. Choose Registry type - Select Google Cloud Container Registry (GCR).

   7. Registry URI - Select one of the approved endpoint names of your GCR, based on your region.

   8. Authentication Method - Select one of the methods:

      • GCP Service Account Key

        1. Create a service account with the needed permissions (minimal required role: roles/browser) and generate a json key for it. To do this, open a Google Cloud Shell terminal and run the commands below. This creates a service account gcp-svc-acc with the needed permissions to access GCR and generates the file gcp-svc-acc-keyfile.json to use for an image pull secret.

           gcloud iam service-accounts create gcp-svc-acc gcloud iam service-accounts keys create gcp-svc-acc-keyfile.json --iam-account gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com gcloud projects add-iam-policy-binding <your_project_name> --member="serviceAccount:gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com" --role="roles/browser" gsutil iam ch serviceAccount:gcp-svc-acc@<your_project_name>.iam.gserviceaccount.com:objectViewer gs://artifacts.<your_project_name>.appspot.com/

        2. Pull Secret Name - Create the image pull secret on your hosting cluster where the Check Point Image Assurance agents are deployed (can be done later).

           Make sure that the <secret-name> is a valid Kubernetes name. For more details, see the Kubernetes Documentation.

           To create the secret, run:

           Copy

           kubectl create secret docker-registry <secret-name> \
           --namespace <cloudguard-namespace> \
           --docker-server=<google-registry-uri> \
           --docker-username=_json_key \
           --docker-password="$(cat gcp-svc-acc-keyfile.json)"

        3. Enter the pull secret name in the CloudGuard onboarding wizard.

      • GCP GKE Internal Authentication

        To use this method, make sure the hosting cluster satisfies all the prerequisites in Prerequisites. When you select this option, no more configuration is required.

4. Click Next to continue with Cluster Configurations.

In this step, you configure the CloudGuard Service Account credentials if in Step 1 you selected to onboard with a new cluster or with the existing cluster that requires an agent update.

For onboarding with the hosting cluster that has updated agents, this step is skipped.

1. Configure a Service Account by one of these methods:

   • Select an existing Service Account with its corresponding API Key.

   • Enter a Service Account manually.

   • Click Add Service Account to create a new account.

2. Click Next to continue to the next step.