-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use scanning from a different registry #28
Comments
The operator should detect images from either quay.io or an on-premise Quay installation. We designed it for no user config needed. Can you share your Pod manifest here so we can see what's going on? |
I took the image you use in the high.pod.yaml and pushed that image into my private registry. Please find baddocker (pulls image from quay.io) and baddocker2 (pulls from my private registry) baddocker2 manifest |
Also here is the SCO log at the point that I deploy an image from our private repo. Notice the No manifest security capabilities"
|
@aetomala can you make sure that the pod in which the CSO is running has access to your Quay instance. Specifically, the CSO will use Quay's |
@kleesc The pod was deployed in OpenShiftS 4.3 using the OperatorHub Catalog. When I hit install, there is no option to update anything about the container that is about to be deployed, other than which namespaces I want to monitor. When I look at the yaml for the deployed operator, I don't see how the configuration you are suggesting can be injected. I am not sure if this is the desired behavior from RedHat, but would you take a look at the yaml for the pod and suggest what changes I need to make?
the pod yaml
|
@kleesc If I read the code correctly (1.0.1 release) /.well-known/app-capabilities is already the default value for
Lastly, I noticed that in your master for for this project, the security-labeller now makes use of another attribute scanner host which makes more sense. https://github.com/jjmengze/container-security-operator/blob/master/cmd/security-labeller/main.go |
@aetomala The pod in which the CSO is running needs access to that endpoint mentioned above. One way to check would be to SSH in the CSO's pod, and try curling that endpoint from that pod instead. My guess is that since it's working on quay.io images and not your private Quay instance, it has to be something with the CSO being able to reach your private registry. |
Sorry for hijacking. But having the same issue. I would like to get results from both quay.io and my local quay registry if possible ... |
@kleesc I ssh'ed into the CSO pod and I was able to ping and do wget to host
these are the logs when I deploy the images in the sequence I described above
|
After researched source code, the quay.io was hardcode in source code, so it's no possible to change quay.io to point to another private registry, look forward to enhance the function to support on-premise quay registry |
I have installed CSO through the OperatorHub on an OpenShift 4.3 instance. I also have a private QUAY 3.2 instance configured to use CLAIR for scanning. I noticed that this operator only provides scan vulnerabilities on images from quay.io registry and no my private quay repository. Is there something I need to do to the operator config or my registry such that the SCO reports scan issues from my quay repo as well ?
The text was updated successfully, but these errors were encountered: