OpenShift Registry

Follow the steps below to add an OpenShift registry in order to scan it.

Prerequisites

- Dedicated Linux instance with Docker installed

- Deployed Qualys Container Security Sensor in registry mode. Refer to the Sensor Deployment Guide for instructions.   

Create a service account

You'll first need to create a service account and extract the service account token. Then log into the Container Security UI to add the registry.

1) Setup the OpenShift registry for public access. By default, the registry is not accessible outside of the cluster. You can configure it to be accessible publicly. Refer to the OpenShift documentation on Exposing the Registry.   

2) Create a new service account for use with Qualys. Refer to the OpenShift documentation on Using Service Accounts in Applications.  

3) Create and apply cluster role binding to assign permissions needed to access the registry and list the images. Associate the role "registry-viewer" to the service account. Refer to the OpenShift documentation on Creating a Cluster Role using RBAC.  

Here's a sample yaml where the service account is named "qualystestuser":  

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: qualystestuserbinding
selfLink: >-
 /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/balatestbindingclusterwide
uid: 71967d33-d7d4-470d-a7f1-dc43794d5af6
resourceVersion: '1263987'
creationTimestamp: '2021-05-20T19:51:09Z'
subjects:
- kind: ServiceAccount
  name: qualystestuser
  namespace: default
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: registry-viewer  

Extract the service account

Perform the following commands to extract the service account token. You'll need this token to add the registry.  

oc describe sa qualystestuser

oc describe secrets ##token##  

List images in OpenShift registry

Perform the following command to assign permissions to access the registry and list the images:

oc adm policy add-cluster-role-to-user registry-viewer system:serviceaccount:<project>:qualystestuser

Perform the following commands to verify that the user has permission to list repositories:

oc login -u user

curl -v -u unused:$(oc whoami -t) https://<registry_server>:<port>/v2/_catalog?n=100  

Add the OpenShift registry

1) In the Container Security UI, go to Assets > Registries and click New Registry.  

2) Select Docker V2-Private from the Registry Type menu.

3) Provide the OpenShift URL in the URL field.

4) Provide the service account credentials under Authentication.  

5) Click Next to define a registry scan schedule or on demand scan.

Tip - You can also use the Container Security API to add a registry. See the Container Security API User Guide for details.