Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to validate against private registries #46

Open
adriananeci opened this issue Apr 9, 2021 · 2 comments
Open

Option to validate against private registries #46

adriananeci opened this issue Apr 9, 2021 · 2 comments

Comments

@adriananeci
Copy link

Is there any option to validate images that are coming from private registries?
@marccampbell
Copy link
Member

@adamancini Because outdated runs as a kubectl plugin, it uses your local registry credentials. Private images will be scanned, if you are also logged in to the same registries from your workstation.

We could pull image pull secrets from the podSpec when we scan and use those credentials also/instead. I haven't thought through the feasibility or security implications of this, except to know that we need to think through the security implications before doing it.

Does docker login work for private images now? Or are you looking for a more automated solution that uses the cluster credentials?

@adriananeci
Copy link
Author

I'm able to successfully login to the private registry using docker login locally, but still no luck with validating images. I'm still getting Unable to get image data

  1. Validate local docker login
❯ docker login anecik8sinfrastructure.azurecr.io
Authenticating with existing credentials...
Login Succeeded
  1. Manually pull the image
❯ docker pull anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
v1.0.0: Pulling from net/hellotcp
4f4fb700ef54: Pull complete
c6d5d55350d6: Pull complete
5ff22a2c5594: Pull complete
Digest: sha256:2231321833a45f430161d2baec56fc35a4e6f107aa5de8f4aa4363fc57963a5d
Status: Downloaded newer image for anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
  1. Run outdated plugin
❯ kubectl outdated

Image                                                  Current                                                  Latest                                                  Behind
................................
anecik8sinfrastructure.azurecr.io/net/hellotcp     v1.0.0                                                   Unable to get image data
................................

On the other hand, I think it would be a more elegant way to get imagePullSecrets from the podSpec than running docker login. What security implications do you think can block such a feature?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marccampbell @adriananeci