Docker discoveries

The Docker discoveries let you list the set of Docker images available from a registry, or pulled into an existing Docker deployment. The discovered Docker images can then be added to Cyberwatch with a grouped action for scanning.

Kubernetes

Prerequisites

Kubernetes discoveries need:

• Kubernetes API endpoint
• Authentication mode: Authentication token or Client certificate
• Identifiers that can access the Pods resource via the list verb
• Identifiers that can access the namespaces/status and Pods/status resource via the list and get verbs

If you have a Kubernetes cluster, you can scan it with Cyberwatch to list all the images deployed on it.

Kubernetes discoveries require a credential set that you can create from menu Stored credentials. The essential pieces of information you need are (1) the entry point to the Kubernetes API, for example https://cluster-ip:6443, (2) the authentication mode, which will be by Authentication Token (typically a JWT) or by Client Certificate, and (3) the credentials required by the chosen authentication mode.

The entry point to the Kubernetes API and the Authentication Token can be easily extracted from YAML configuration of a service account by looking for keys server: and token:.

You can generate a Client Certificate by following the official documentation.

Once the credential set is ready, you can create the Kubernetes discovery by going to Discoveries, then clicking Add and Kubernetes in the Docker images category.

There are several ways to adjust the scope of a Kubernetes discovery:

• List images defined in pod configuration (images are then referenced by tag)
• List images currently running on the cluster (images are then referenced by digest)
• List namespaces (images will not be referenced)

These perimeters are also available for AKS and EKS discoveries.

It is also possible to restrict the discovery to one namespace. This is also available for the Red Hat OpenShift discovery.

Red Hat OpenShift

Prerequisites

Red Hat OpenShift discoveries need:

• Kubernetes API endpoint
• Authentication mode: Authentication token or Client certificate
• Identifiers that can access the Pods resource via the list verb
• Identifiers that can access the namespaces/status and Pods/status resource via the list and get verbs

If you have a Red Hat OpenShift cluster, you can scan it with Cyberwatch to list all the images deployed on it.

Once the Kubernetes credential set is created from the menu, you can create the Red Hat OpenShift discovery by going to Discoveries, then clicking Add and Red Hat OpenShift in the Docker images category.

AWS EKS

Prerequisites

AWS EKS discoveries need:

• An IAM role with the following permissions:
  • DescribeCluster
  • ListClusters

If you have an Amazon Elastic Kubernetes Service cluster, you can scan it with Cyberwatch to list all the images deployed on it.

Once the credential set is created from the menu, you can create the Amazon EKS discovery by going to Discoveries, then clicking Add and Amazon EKS in the Docker images category.

Azure Kubernetes Server (AKS)

If you have an Azure Kubernetes Server (AKS) cluster, you can scan it with Cyberwatch to list all the images deployed on it.

Prerequisites

AKS discoveries need:

• A set of Microsoft Azure credentials with read access to routes Managed Clusters and clusters to be scanned
• The Azure Kubernetes Service RBAC Reader and Azure Kubernetes Service Cluster User Role rights

Once the credential set is created from the menu, you can create the AKS discovery by going to Discoveries, then clicking Add and Azure Kubernetes Server (AKS) in the Docker images category. You can find the information relative to the discovery creation here.

Docker registries

Prerequisites

Docker discoveries need:

• A service account with permission to list all the registry artifacts

If you have a private Docker registry, and a service account able to enumerate its images catalog, you may create an asset discovery in Cyberwatch to list all the available present objects. However, only Docker images can be supervised by Cyberwatch.

To use the Docker images discovery, you need to add your Docker registry using the Stored credentials menu. You will then be able to add a Docker registry discovery from menu Discoveries, with clicking Add, then Docker registry in the Docker images category.

If the registry is properly configured, the discovery will list all the found registry artifacts.

Harbor registries

Prerequisites

Harbor registries discoveries need (one of the following):

• A Harbor system administrator account to list the artifacts on all the projects
• A robot account with permission to list the artifacts on all the projects
• A guest account to list the artifacts only on public projects

To use the Harbor registry discovery, you need to add your Harbor registry as Docker Registry from the Stored credentials menu. You will then be able to add a Harbor registry discovery from the menu Discoveries, with clicking Add, then Harbor registry in the Docker images category. If the registry is properly configured, the discovery will list all the found Docker images.

On a Harbor registry, the Docker registry discovery will list all artifacts with a tag, and not just the images while the Harbor registry discovery allows to list all the images whether they have a tag or not.

Amazon ECR registries

Prerequisites

Amazon ECR discoveries need:

• An AWS access key with permission to list all the registry artifacts

If you have an Amazon ECR registry, and an AWS access key able to enumerate its images catalog, you may create an asset discovery in Cyberwatch to list all the available present objects. However, only Docker images can be supervised by Cyberwatch.

To use Amazon ECR discovery, you need to add a Docker registry using the Stored credentials menu. You will then be able to add a Amazon ECR discovery from menu Discoveries, with clicking Add, then Amazon ECR in the Docker images category.

If the registry is properly configured, the discovery will list all the found registry artifacts.

Docker Swarm

Prerequisites

Docker Swarm discoveries need:

• Tag associated images

Docker Swarm discoveries let you list the images available locally on a Docker execution engine. They apply to Docker Swarm deployments but are not limited to them: any Docker daemon will be compatible.

Only tagged Docker images will be listed, which excludes intermediate images, or images pulled with an explicit ID.

A Docker engine credential set is required for this type of discovery. To create one, please refer to the documentation on Docker images.

Once the credential set is ready, you can create the Docker Swarm discovery by going to Discoveries, then clicking Add and Docker Swarm in the Docker images category.

GitLab Container Registry

Prerequisites

Docker image discoveries from a Docker GitLab registry need:

• A GitLab access token with read_api permission

GitLab integrates a Docker registry called GitLab Container Registry for storing Docker images associated to GitLab projects. It may be scanned like regular Docker registry but requires super-administrator credentials. GitLab Container Registry instead uses GitLab’s REST API to discover accessible Docker images, and can be used even with a regular user.

This discovery requires a GitLab access token that you can create from the user settings of your account on GitLab. The access token must have read_api permissions. Once created, you need to add it to Cyberwatch as Stored credentials.

Finally, you can create the discovery from menu Discoveries by choosing type GitLab Container Registry and then selecting your credential set.

Discovery from Linux

Prerequisites

Docker image discoveries on Linux-based assets need:

• Running images
• Root permissions with sudo if the user is not root or access to the docker socket is not allowed

This discovery retrieves all Docker images present on all Linux machines within the Forwarded scope.

By default, the Forwarded scope encompasses all Linux assets, but it is possible to narrow it down by selecting one or more groups in the Forwarded scope field of the form.

Add the discovered Docker images

From the discovery assets list, you may see and filter the Docker images without any associated assets. To add them to Cyberwatch, pick the images you wish to scan and click Bulk actions > Scan as Docker images.

To scan an images, you will need a Docker engine. If you have not configured one yet, please refer to Add a Docker image.

Newly discovered Docker images can be automatically added to Cyberwatch as they are discovered. To enable this feature, you need to go to the discovery edition form and specify a Docker engine.

The registry is automatically selected based on the name of the discovered image. For instance, the image example.com/library/hello would automatically use the registry example.com, provided it has been added as a stored credential. New registries are automatically added as stored credentials, and you can manually edit them if they require authentication. You may in certain contexts select a preferred registry, but it will only be selected when the registry in the name of the discovered image matches the entry point of the registry.