Onboarding Container Registries

A Container Registry A collection of repositories used to store and access container images. is a repository that stores container images. To scan your Container A lightweight and portable executable image that contains software and all of its dependencies. Containers decouple applications from underlying host infrastructure to make deployment easier in different cloud or OS environments, and for easier scaling. Registry environment with the Image Assurance capability, onboard the Container Registry to CloudGuard.

These are two options to scan your Container Registry in CloudGuard:

Link it to a Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. cluster that has the ImageScan agents scanning your registry
Deploy ImageScan with an AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. ECS Amazon Elastic Container Service (ECS) - a fully managed container orchestration service that helps you deploy, manage, and scale Docker containers running applications, services, and batch processes. scanner (available for selected types of registry)

CloudGuard can scan these types of container registries:

With an AWS ECS scanner or a Kubernetes scanner:
- Azure Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®. Container Registry (ACR) - See Onboarding Azure Container Registry
- AWS Elastic Container Registry (ECR) - See Onboarding AWS Elastic Container Registry
- Google Cloud Container Registry (GCR) - See Onboarding Google Container Registry
- Harbor - See Onboarding Harbor Registry
- JFrog Artifactory - See Onboarding JFrog Artifactory
- Nexus - See Onboarding Sonatype Nexus Registry
- GitHub Container Registry - See Onboarding GitHub Container Registry
- Quay.io Container Registry - See Onboarding Quay.io Container Registry
With a Kubernetes scanner only:
- Google Artifact Registry (GAR) - See Onboarding Google Artifact Registry

General Workflow

To onboard a Container Registry to CloudGuard, follow these steps on the onboarding wizard:

Registry Configurations - Configure the registry.
Cluster Configurations - In this step, it is necessary to provide the CloudGuard Service Account credentials.
Environment Configurations - In the hosting environment, select to associate the registry with a new or existing cluster. Follow the instructions to configure the environment.
Onboarding Summary - For onboarding with a Kubernetes cluster only, CloudGuard shows the full details of your newly onboarded registry and its related cluster. If the process includes updating the cluster, this page shows the cluster onboarding summary. The cluster deployment takes several minutes, and you can see its progress in the Cluster and Registry Status.

CloudGuard opens the onboarded registry. For onboarding validation, in the Scanners tab, see the status of the registry and the cluster that scans it.

The related Kubernetes cluster page shows information on the registries that the cluster scans, in the list on Blades > Image Assurance > Image Scan Engine agent.

Inactive Container Registries

CloudGuard deletes inactive environments when a year (365 days) passed since any of the environment's agents has communicated with CloudGuard. An agent is required to communicate with CloudGuard at least once in the past.

Note - Environments with agents that communicated with errors are not removed.

Troubleshooting

Error	Corrective Actions
Failed to create registry worker	Make sure you created the pull secret in the same namespace where the CloudGuard agents are located. Make sure you gave the same secret name on the onboarding wizard page. Note: If you create or update the pull secret after the agents startup, you must restart the imagescan-engine and imagescan-list pods.
Failed to authenticate	Make sure the pull secret key name is correct and is created in the correct namespace. Make sure you entered correctly the username, password, and server URL in the secret definition.

Error

Corrective Actions

Failed to create registry worker

Make sure you created the pull secret in the same namespace where the CloudGuard agents are located.
Make sure you gave the same secret name on the onboarding wizard page.

Note: If you create or update the pull secret after the agents startup, you must restart the imagescan-engine and imagescan-list pods.

Failed to authenticate

Make sure the pull secret key name is correct and is created in the correct namespace.
Make sure you entered correctly the username, password, and server URL in the secret definition.

Known Limitations

By default, CloudGuard adds to Protected Assets and scans only 10 recent images of each repository. You can change the default value with the API call (maximal number is 1000 for a JFrog Artifactory and Sonatype Nexus). For more information, see the API Reference Guide.
Scanning Windows container images is not supported.
For JFrog Artifactory, it can take about 20 minutes that the images start to show for the first time.
For JFrog Artifactory and Sonatype Nexus, the maximal number of tags per repository is 1000. Container images from the repositories with more than 1000 tags are neither shown as protected assets, nor scanned. The number is limited due to extensive API calls and performance considerations.