Option to validate against private registries

[adriananeci]

Is there any option to validate images that are coming from private registries?

[marccampbell]

@adamancini Because outdated runs as a kubectl plugin, it uses your local registry credentials. Private images will be scanned, if you are also logged in to the same registries from your workstation.

We could pull image pull secrets from the podSpec when we scan and use those credentials also/instead. I haven't thought through the feasibility or security implications of this, except to know that we need to think through the security implications before doing it.

Does docker login work for private images now? Or are you looking for a more automated solution that uses the cluster credentials?

[adriananeci]

I'm able to successfully login to the private registry using docker login locally, but still no luck with validating images. I'm still getting Unable to get image data

1. Validate local docker login

   ❯ docker login anecik8sinfrastructure.azurecr.io
   Authenticating with existing credentials...
   Login Succeeded

2. Manually pull the image

   ❯ docker pull anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
   v1.0.0: Pulling from net/hellotcp
   4f4fb700ef54: Pull complete
   c6d5d55350d6: Pull complete
   5ff22a2c5594: Pull complete
   Digest: sha256:2231321833a45f430161d2baec56fc35a4e6f107aa5de8f4aa4363fc57963a5d
   Status: Downloaded newer image for anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
   anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0

3. Run outdated plugin

   
   ❯ kubectl outdated

Image Current Latest Behind ................................ anecik8sinfrastructure.azurecr.io/net/hellotcp v1.0.0 Unable to get image data ................................

On the other hand, I think it would be a more elegant way to get `imagePullSecrets` from the podSpec than running docker login. What security implications do you think can block such a feature?