Comments (8)
dwertent
commented on June 2, 2024
1
@bmelbourne Thank you for reporting this. We will look into this :)
from kubevuln.
matthyx
commented on June 2, 2024
@bmelbourne I think operator should send the right settings to kubevuln when you specify SkipTLSVerify in a registry scan config...
from kubevuln.
matthyx
commented on June 2, 2024
if it is a "normal" workload scan, then maybe we need to add a knob somewhere @dwertent ?
from kubevuln.
bmelbourne
commented on June 2, 2024
@matthyx
Thanks, I'll take a look at enabling the SkipTLSVerify setting in the Helm chart
from kubevuln.
bmelbourne
commented on June 2, 2024
@matthyx
I've found the code which sets the SkipTLSVerify property but I'm unable to find how to update this from the latest v1.18.3 Helm chart values. Can you advise?
https://github.com/kubescape/operator/blob/main/mainhandler/vulnscan.go#L112
from kubevuln.
matthyx
commented on June 2, 2024
hi @bmelbourne this parameter is set by the operator microservice when it asks kubevuln to run a scan on an image, @dwertent do you have an idea?
from kubevuln.
amirmalka
commented on June 2, 2024
Hi @bmelbourne ,
It is not possible to configure skip TLS with our latest Helm chart, however it is supported but requires some manual steps.
In case you already have a secret configured for your registry credentials, you should simply add the boolean skipTLSVerify field.
i.e.
kind: Secret
apiVersion: v1
metadata:
name: kubescape-registry-scan-example-secret
namespace: kubescape
type: Opaque
stringData:
registriesAuth: |
[
{
"registry": "your-registry",
"username": "<username/clientID>",
"password": "<password/secret>",
"auth_method": "credentials",
"skipTLSVerify": true
}
]
In case you are not using a secret, you can read more about it in our docs: https://kubescape.io/docs/operator/vulnerabilities/#granting-credentials-directly
It is also possible to create the secret by specifying the credentials in .Values.imageScanning.privateRegistries.credentials
See: https://github.com/kubescape/helm-charts/blob/main/charts/kubescape-operator/templates/configs/private-registries-creds-secret.yaml
Just note that this will require editing the secret and adding the skipTLSVerify manually.
Please advise if the above steps work for you and we will update our docs + helm chart accordingly.
Thanks,
Amir
from kubevuln.
amirmalka
commented on June 2, 2024
We have released a new helm chart (1.18.5) which contains a fix for your issue.
https://github.com/kubescape/helm-charts/releases/tag/kubescape-operator-1.18.5
It is now possible to configure skipping certificate verification for private registry in the values.yaml:
https://github.com/kubescape/helm-charts/blob/kubescape-operator-1.18.5/charts/kubescape-operator/values.yaml#L161
We have also updated our docs to reflect this change:
https://kubescape.io/docs/operator/vulnerabilities/#insecure-registries-access
from kubevuln.
Related Issues (19)
- Error running kubevuln
- [question] can't load config file using `CONFIG` env HOT 6
- Generation of VEX documents by the Kubescape relevancy engine HOT 4
- Security Slam 2023 umbrella issue
- Changelog (docs)
- Maintainers (docs)
- License scanning (docs)
- Artifact Hub badge (docs)
- OpenSSF best practices badge (docs)
- OpenSSF Scorecard badge (docs)
- Dependencies policy (docs)
- Dependency update tool (docs)
- Software bill of materials (SBOM) (docs) HOT 1
- Security insights (docs)
- Security policy (docs)
- Self-Assessment (docs)
- Signed releases (docs)
- Token permissions (docs)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubevuln.