matthyx
commented
9 months ago @bmelbourne I think operator should send the right settings to kubevuln when you specify SkipTLSVerify in a registry scan config...
Closed bmelbourne closed 8 months ago
matthyx
commented
9 months ago @bmelbourne I think operator should send the right settings to kubevuln when you specify SkipTLSVerify in a registry scan config...
matthyx
commented
9 months ago if it is a "normal" workload scan, then maybe we need to add a knob somewhere @dwertent ?
bmelbourne
commented
8 months ago @matthyx
Thanks, I'll take a look at enabling the SkipTLSVerify setting in the Helm chart
bmelbourne
commented
8 months ago @matthyx
I've found the code which sets the SkipTLSVerify property but I'm unable to find how to update this from the latest v1.18.3 Helm chart values. Can you advise?
https://github.com/kubescape/operator/blob/main/mainhandler/vulnscan.go#L112
matthyx
commented
8 months ago hi @bmelbourne this parameter is set by the operator microservice when it asks kubevuln to run a scan on an image, @dwertent do you have an idea?
dwertent
commented
8 months ago @bmelbourne Thank you for reporting this. We will look into this :)
amirmalka
commented
8 months ago Hi @bmelbourne ,
It is not possible to configure skip TLS with our latest Helm chart, however it is supported but requires some manual steps.
In case you already have a secret configured for your registry credentials, you should simply add the boolean skipTLSVerify field.
i.e.
kind: Secret
apiVersion: v1
metadata:
name: kubescape-registry-scan-example-secret
namespace: kubescape
type: Opaque
stringData:
registriesAuth: |
[
{
"registry": "your-registry",
"username": "<username/clientID>",
"password": "<password/secret>",
"auth_method": "credentials",
"skipTLSVerify": true
}
]In case you are not using a secret, you can read more about it in our docs: https://kubescape.io/docs/operator/vulnerabilities/#granting-credentials-directly
It is also possible to create the secret by specifying the credentials in .Values.imageScanning.privateRegistries.credentials
See: https://github.com/kubescape/helm-charts/blob/main/charts/kubescape-operator/templates/configs/private-registries-creds-secret.yaml
Just note that this will require editing the secret and adding the skipTLSVerify manually.
Please advise if the above steps work for you and we will update our docs + helm chart accordingly.
Thanks, Amir
amirmalka
commented
8 months ago @bmelbourne
We have released a new helm chart (1.18.5) which contains a fix for your issue. https://github.com/kubescape/helm-charts/releases/tag/kubescape-operator-1.18.5
It is now possible to configure skipping certificate verification for private registry in the values.yaml:
https://github.com/kubescape/helm-charts/blob/kubescape-operator-1.18.5/charts/kubescape-operator/values.yaml#L161
We have also updated our docs to reflect this change: https://kubescape.io/docs/operator/vulnerabilities/#insecure-registries-access
Description
When
kubevulnattempts to scan an image stored in our private registry, specifically Harbor, it reports the following error...Environment
OS:
Ubuntu 22.04.3 LTSVersion:kubevuln v0.3.1Steps To Reproduce
v1.18.1(kubescape v3.0.3)Expected behavior
Unable to find Helm configuration setting to either add specific TLS Root CA certificate (as a Kubernetes TLS secret), or allow insecure HTTPS connections to Harbor private registry, something similar to
--tls.verify=false.Actual Behavior
Error reported shown above.
Additional context
None