Twistlock uses the Docker v2 Registry catalog API call to inventory images within a registry. The OpenShift Internal Registry currently does not support the Docker v2 Registry catalog API call. Therefore you have to configure Twistlock to scan an image down to the registry/project/repository level. This does not scale well especially within large OpenShift implementations.

The good news is that Red Hat will be adding the catalog API call in OpenShift v3.11. Until then, you can use this Twistlock script to inventory all the images within the OpenShift Internal Registry and populate them into Twistlock’s Registry Scanner entries.

Using the script to scan images on OpenShift

This script queries OpenShift for all the images within each Project’s Image Stream. Then calls the Twistlock API to create a Defender > Vulnerabilities > Registry entry for each repository. Twistlock will then scan all the images within the OpenShift Internal Registry.

Technical deep dive

The following technologies and versions are required:

  • Twistlock v2.4
  • OpenShift v3.3+
  • Authenticated to OpenShift cluster and OSE CLI (oc) access
  • Powershell v6 it now runs on MacOS and Linux!

When you deploy Twistlock within an OpenShift cluster, Twistlock creates a service account. This service account is used to authenticate to the OpenShift Internal Registry. Use the password associated with this service account in the configuration of the Twistlock Registry Scanner. Here is the procedure to configure the Twistlock service account:

  1. Give the Twistlock Service account the right to read the OpenShift registry: oc adm policy add-cluster-role-to-user system:image-puller system:serviceaccount:twistlock:twistlock-service
  2. oc describe sa twistlock-service -n twistlock
  3. oc describe secret twistlock-service-dockercfg-<string> in the secret, note the username (serviceaccount) and the password (a very long string, ends before “email”) copy the password string into the $TL_service_account_password variable.

Then, run the script within Powershell. You will be prompted for your Twistlock Credentials. Once the script completes you will see the OpenShift repositories within Defend > Vulnerabilities > Registry

The scan results will appear in Monitor > Vulnerabilities > Registry

Conclusion

With the OpenShift Internal Registry to Twistlock Registry Scanner Populator script you get the full benefits of Twistlock image vulnerability and compliance scanning. To learn more about how you can quickly and easily deploy Twistlock on OpenShift, check out our Twistlock deployment script.

← Back to All Posts Next Post →