This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Private registry support

1 - Private registry support for the CLI

The KubeClarity CLI can read a configuration file that stores credentials for private registries. (For details, on using an external configuration file, see Set configuration file location for the CLI).

Example registry section of the configuration file:

    - authority: <registry 1>
      username: <username for registry 1>
      password: <password for registry 1>
    - authority: <registry 2>
      token: <token for registry 2>

Example registry configuration without authority: (in this case these credentials will be used for all registries):

    - username: <username>
      password: <password>

2 - Private registry support for Kubernetes

KubeClarity uses k8schain for authenticating to the registries. If the necessary service credentials are not discoverable by the k8schain, you can define them as secrets as described below.

In addition, if service credentials are not located in the kubeclarity namespace, set CREDS_SECRET_NAMESPACE to kubeclarity Deployment.

When using Helm charts, CREDS_SECRET_NAMESPACE is set to the release namespace installed kubeclarity.

Amazon ECR

  1. Create an AWS IAM user with AmazonEC2ContainerRegistryFullAccess permissions.

  2. Use the user credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION) to create the following secret:

    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
      name: ecr-sa
      namespace: kubeclarity
    type: Opaque
      AWS_ACCESS_KEY_ID: $(echo -n 'XXXX'| base64 -w0)
      AWS_SECRET_ACCESS_KEY: $(echo -n 'XXXX'| base64 -w0)
      AWS_DEFAULT_REGION: $(echo -n 'XXXX'| base64 -w0)


    • The name of the secret must be ecr-sa
    • The secret data keys must be set to AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION

Google GCR

  1. Create a Google service account with Artifact Registry Reader permissions.

  2. Use the service account json file to create the following secret:

    kubectl --namespace kubeclarity create secret generic --from-file=sa.json gcr-sa


    • Secret name must be gcr-sa
    • sa.json must be the name of the service account json file when generating the secret
    • KubeClarity is using application default credentials. These only work when running KubeClarity from GCP.