Docker discoveries

The Docker discoveries let you list the set of Docker images available from a registry, or pulled into an existing Docker deployment. The discovered Docker images can then be added to Cyberwatch with a grouped action for scanning.

Kubernetes

Prerequisites

Kubernetes discoveries need:

  • Kubernetes API endpoint
  • Authentication mode: Authentication token or Client certificate
  • Identifiers that can access the Pods resource via the list verb
  • Identifiers that can access the namespaces/status and Pods/status resource via the list and get verbs

If you have a Kubernetes cluster, you can scan it with Cyberwatch to list all the images deployed on it.

Kubernetes discoveries require a credential set that you can create from menu Stored credentials. The essential pieces of information you need are (1) the entry point to the Kubernetes API, for example https://cluster-ip:6443, (2) the authentication mode, which will be by Authentication Token (typically a JWT) or by Client Certificate, and (3) the credentials required by the chosen authentication mode.

The entry point to the Kubernetes API and the Authentication Token can be easily extracted from YAML configuration of a service account by looking for keys server: and token:.

You can generate a Client Certificate by following the official documentation.

Once the credential set is ready, you can create the Kubernetes discovery by going to Discoveries, then clicking Add and Kubernetes in the Docker images category.

There are several ways to adjust the scope of a Kubernetes discovery:

  • List images defined in pod configuration (images are then referenced by tag)
  • List images currently running on the cluster (images are then referenced by digest)
  • List namespaces (images will not be referenced)

These perimeters are also available for AKS and EKS discoveries.

It is also possible to restrict the discovery to one namespace. This is also available for the Red Hat OpenShift discovery.

Add the discovered Docker images

From the discovery assets list, you may see and filter the Docker images without any associated assets. To add them to Cyberwatch, pick the images you wish to scan and click Bulk actions > Scan as Docker images.

To scan an images, you will need a Docker engine. If you have not configured one yet, please refer to Add a Docker image.

Newly discovered Docker images can be automatically added to Cyberwatch as they are discovered. To enable this feature, you need to go to the discovery edition form and specify a Docker engine.

The registry is automatically selected based on the name of the discovered image. For instance, the image example.com/library/hello would automatically use the registry example.com, provided it has been added as a stored credential. New registries are automatically added as stored credentials, and you can manually edit them if they require authentication. You may in certain contexts select a preferred registry, but it will only be selected when the registry in the name of the discovered image matches the entry point of the registry.

Back to top