Twistlock uses the Docker v2 Registry catalog API call to inventory images within a registry. The OpenShift Internal Registry currently does not support the Docker v2 Registry catalog API call. Therefore you have to configure Twistlock to scan an image down to the registry/project/repository level. This does not scale well especially within large OpenShift implementations.
The good news is that Red Hat will be adding the catalog API call in OpenShift v3.11. Until then, you can use this Twistlock script to inventory all the images within the OpenShift Internal Registry and populate them into Twistlock’s Registry Scanner entries.
Using the script to scan images on OpenShift
This script queries OpenShift for all the images within each Project’s Image Stream. Then calls the Twistlock API to create a Defender > Vulnerabilities > Registry entry for each repository. Twistlock will then scan all the images within the OpenShift Internal Registry.
Technical deep dive
The following technologies and versions are required:
- Twistlock v2.4
- OpenShift v3.3+
- Authenticated to OpenShift cluster and OSE CLI (oc) access
- Powershell v6 it now runs on MacOS and Linux!
When you deploy Twistlock within an OpenShift cluster, Twistlock creates a service account. This service account is used to authenticate to the OpenShift Internal Registry. Use the password associated with this service account in the configuration of the Twistlock Registry Scanner. Here is the procedure to configure the Twistlock service account:
- Give the Twistlock Service account the right to read the OpenShift registry: oc adm policy add-cluster-role-to-user system:image-puller system:serviceaccount:twistlock:twistlock-service
- oc describe sa twistlock-service -n twistlock
- oc describe secret twistlock-service-dockercfg-<string> in the secret, note the username (serviceaccount) and the password (a very long string, ends before “email”) copy the password string into the $TL_service_account_password variable.
Then, run the script within Powershell. You will be prompted for your Twistlock Credentials. Once the script completes you will see the OpenShift repositories within Defend > Vulnerabilities > Registry
The scan results will appear in Monitor > Vulnerabilities > Registry
With the OpenShift Internal Registry to Twistlock Registry Scanner Populator script you get the full benefits of Twistlock image vulnerability and compliance scanning. To learn more about how you can quickly and easily deploy Twistlock on OpenShift, check out our Twistlock deployment script.
- Vulnerability Management
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
AWS Fargate 101
AWS Fargate is one of the newest services in the world of containers. ...
Security Alert: ESlint Malicious Packages Insights
On July 12, 2018, the ESLint project experienced a security incident, ...
Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
Serverless computing adoption is growing at exponential rates. As with...
4 Steps to Jumpstart your DevSecOps Practices
If you understand DevOps, you probably also intuitively understand Dev...
Squaring the Circle: Making CI/CD Fast and Secure
Today, most DevOps teams place priorities on software delivery speed a...