Twistlock uses the Docker v2 Registry catalog API call to inventory images within a registry. The OpenShift Internal Registry currently does not support the Docker v2 Registry catalog API call. Therefore you have to configure Twistlock to scan an image down to the registry/project/repository level. This does not scale well especially within large OpenShift implementations.
The good news is that Red Hat will be adding the catalog API call in OpenShift v3.11. Until then, you can use this Twistlock script to inventory all the images within the OpenShift Internal Registry and populate them into Twistlock’s Registry Scanner entries.
Using the script to scan images on OpenShift
This script queries OpenShift for all the images within each Project’s Image Stream. Then calls the Twistlock API to create a Defender > Vulnerabilities > Registry entry for each repository. Twistlock will then scan all the images within the OpenShift Internal Registry.
Technical deep dive
The following technologies and versions are required:
- Twistlock v2.4
- OpenShift v3.3+
- Authenticated to OpenShift cluster and OSE CLI (oc) access
- Powershell v6 it now runs on MacOS and Linux!
When you deploy Twistlock within an OpenShift cluster, Twistlock creates a service account. This service account is used to authenticate to the OpenShift Internal Registry. Use the password associated with this service account in the configuration of the Twistlock Registry Scanner. Here is the procedure to configure the Twistlock service account:
- Give the Twistlock Service account the right to read the OpenShift registry: oc adm policy add-cluster-role-to-user system:image-puller system:serviceaccount:twistlock:twistlock-service
- oc describe sa twistlock-service -n twistlock
- oc describe secret twistlock-service-dockercfg-<string> in the secret, note the username (serviceaccount) and the password (a very long string, ends before “email”) copy the password string into the $TL_service_account_password variable.
Then, run the script within Powershell. You will be prompted for your Twistlock Credentials. Once the script completes you will see the OpenShift repositories within Defend > Vulnerabilities > Registry
The scan results will appear in Monitor > Vulnerabilities > Registry
With the OpenShift Internal Registry to Twistlock Registry Scanner Populator script you get the full benefits of Twistlock image vulnerability and compliance scanning. To learn more about how you can quickly and easily deploy Twistlock on OpenShift, check out our Twistlock deployment script.
- Vulnerability Management
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
6 Tips for Secure Data Management for Containers
One of the main reasons why containers have become so popular is that ...
Better Together: Protecting Docker Registries with Twistlock and JFrog Artifactory
In a containerized devops lifecycle, a registry such as JFrog Artifact...
Support for Emerging Container Runtimes: RunC, containerd, cri-o and Beyond
In the beginning there was lxc… or maybe Solaris Zones, or BSD J...
Twistlock Jenkins Plugin and Time-Based Vulnerability Blocking : 2.4 Deep Dive
Twistlock has provided the ability to seamlessly integrate security in...
Securing Containers on Red Hat OpenShift: Twistlock Deployment Script
Booz Allen Hamilton has been an invaluable partner since the early day...