You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by maltemorgenstern May 4, 2024
Hey there, I have a question about private registries.
We are running a private registry for all of our docker images (there are gatekeeper policies in place to enforce that only internal images can be deployed into the cluster). Therefore every deployment/namespace contains an ImagePullSecret with credentials to our registry.
Using the default trivy-operator configuration this works like a charm - and reports for all resources are being created (because the operator is using the ImagePullSecret from each workload to pull the image, see the docs).
The problem is that the default configuration comes with highly privileged permissions. Because operator.accessGlobalSecretsAndServiceAccount defaults to true, the deployed ClusterRole grants the operator access to all secrets in all namespaces - which is being criticised by our security team.
Based on this discussion instead of using the ImagePullSecret in each namespace one can configure the operator to use a different secret from other namespaces. In our case we would just reference the secret from the operator namespace which contains credentials that are valid for all images in the cluster:
operator:
# Do not allow access to everything (to increase security)accessGlobalSecretsAndServiceAccount: false# Instead configure operator to read ImagePullSecret from its own namespaceprivateRegistryScanSecretsNames: {"trivy-operator":"internal-pullsecret"}
But this does not work - and all scan jobs fail with unauthorized errors.
Looking at the code the reason seems to be that privateRegistryScanSecretsNames requires accessGlobalSecretsAndServiceAccount to be enabled?
And - in general - I can understand this requirement - because if you reference a workload namespace as the secret source that cluster-wide access is required to read the data.
But if the namespace is the operator namespace this is not needed - because the default role already contains the required permissions to read kubernetes secrets:
Is there currently a way to provide access to private registries without granting the operator access to all secrets in the cluster?
If not: what do you think about the idea to add another option for providing the credentials - which would be referencing a local ImagePullSecret and therefor not needing global access?
Kind Regard Malte
The text was updated successfully, but these errors were encountered:
Discussed in #2053
Originally posted by maltemorgenstern May 4, 2024
Hey there, I have a question about private registries.
We are running a private registry for all of our docker images (there are gatekeeper policies in place to enforce that only internal images can be deployed into the cluster). Therefore every deployment/namespace contains an
ImagePullSecret
with credentials to our registry.Using the default
trivy-operator
configuration this works like a charm - and reports for all resources are being created (because the operator is using theImagePullSecret
from each workload to pull the image, see the docs).The problem is that the default configuration comes with highly privileged permissions. Because
operator.accessGlobalSecretsAndServiceAccount
defaults totrue
, the deployedClusterRole
grants the operator access to all secrets in all namespaces - which is being criticised by our security team.Based on this discussion instead of using the
ImagePullSecret
in each namespace one can configure the operator to use a different secret from other namespaces. In our case we would just reference the secret from the operator namespace which contains credentials that are valid for all images in the cluster:But this does not work - and all scan jobs fail with
unauthorized
errors.Looking at the code the reason seems to be that
privateRegistryScanSecretsNames
requiresaccessGlobalSecretsAndServiceAccount
to be enabled?trivy-operator/pkg/vulnerabilityreport/controller/workload.go
Lines 255 to 269 in 4b1c6c3
And - in general - I can understand this requirement - because if you reference a workload namespace as the secret source that cluster-wide access is required to read the data.
But if the namespace is the operator namespace this is not needed - because the default role already contains the required permissions to read kubernetes secrets:
trivy-operator/deploy/helm/templates/rbac/role.yaml
Lines 18 to 25 in 4b1c6c3
Question
Kind Regard Malte
The text was updated successfully, but these errors were encountered: