This is the multi-page printable view of this section. Click here to print.
Private registry support
1 - Private registry support for the CLI
The KubeClarity CLI can read a configuration file that stores credentials for private registries. (For details, on using an external configuration file, see Set configuration file location for the CLI).
Example registry section of the configuration file:
registry:
auths:
- authority: <registry 1>
username: <username for registry 1>
password: <password for registry 1>
- authority: <registry 2>
token: <token for registry 2>
Example registry configuration without authority: (in this case these credentials will be used for all registries):
registry:
auths:
- username: <username>
password: <password>
2 - Private registry support for Kubernetes
KubeClarity uses k8schain for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain, you can define them as secrets as described below.
In addition, if service credentials are not located in the kubeclarity
namespace, set CREDS_SECRET_NAMESPACE
to kubeclarity
Deployment.
When using Helm charts, CREDS_SECRET_NAMESPACE
is set to the release namespace installed kubeclarity.
Amazon ECR
-
Create an AWS IAM user with
AmazonEC2ContainerRegistryFullAccess
permissions. -
Use the user credentials (
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_DEFAULT_REGION
) to create the following secret:cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: ecr-sa namespace: kubeclarity type: Opaque data: AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0) AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0) AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0) EOF
Note:
- The name of the secret must be
ecr-sa
- The secret data keys must be set to
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_DEFAULT_REGION
- The name of the secret must be
Google GCR
-
Create a Google service account with
Artifact Registry Reader
permissions. -
Use the service account json file to create the following secret:
kubectl --namespace kubeclarity create secret generic --from-file=sa.json gcr-sa
Note:
- Secret name must be
gcr-sa
sa.json
must be the name of the service account json file when generating the secret- KubeClarity is using application default credentials. These only work when running KubeClarity from GCP.
- Secret name must be