Private registry support for Kubernetes
KubeClarity uses k8schain for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain, you can define them as secrets as described below.
In addition, if service credentials are not located in the kubeclarity
namespace, set CREDS_SECRET_NAMESPACE
to kubeclarity
Deployment.
When using Helm charts, CREDS_SECRET_NAMESPACE
is set to the release namespace installed kubeclarity.
Amazon ECR
-
Create an AWS IAM user with
AmazonEC2ContainerRegistryFullAccess
permissions. -
Use the user credentials (
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
,AWS_DEFAULT_REGION
) to create the following secret:cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Secret metadata: name: ecr-sa namespace: kubeclarity type: Opaque data: AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0) AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0) AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0) EOF
Note:
- The name of the secret must be
ecr-sa
- The secret data keys must be set to
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_DEFAULT_REGION
- The name of the secret must be
Google GCR
-
Create a Google service account with
Artifact Registry Reader
permissions. -
Use the service account json file to create the following secret:
kubectl --namespace kubeclarity create secret generic --from-file=sa.json gcr-sa
Note:
- Secret name must be
gcr-sa
sa.json
must be the name of the service account json file when generating the secret- KubeClarity is using application default credentials. These only work when running KubeClarity from GCP.
- Secret name must be