search

snyk / kubernetes-monitor

Use Snyk to find and fix vulnerabilities in your Kubernetes workloads
https://docs.snyk.io/products/snyk-container/image-scanning-library/kubernetes-workload-and-image-scanning/kubernetes-integration-overview
Other
83 stars 73 forks source link

[πŸ™] Add (document) support for Google Artifact Registry #1314

Open jdomeracki opened 1 year ago

jdomeracki commented 1 year ago

Describe the user need Hi Team, as GCR recently got deprecated it might be high time to start officially supporting Google Artifact Registry.

Describe expected behaviour The following section of the documentation should include a snippet showcasing a sample configuration of the dockercfg.json including credHelpers set for GAR: https://github.com/snyk/kubernetes-monitor/tree/staging/snyk-monitor#installing

Example:

❯ cat dockercfg.json | jq
{
  "credHelpers": {
    "us-central1-docker.pkg.dev": "gcloud",
    "europe-west1-docker.pkg.dev": "gcloud"
  }
}

Of course some unit and/or integration test cases would be welcome as well.

Additional context We've actually tested this in our environment and the proposed addition works as intended.

NOTE: The underlying GCP Service Account mapped via Workload Identity needs to have a proper IAM binding ie. the Artifact Registry Reader role bound to the Registry in scope.

Reference: https://cloud.google.com/artifact-registry/docs/access-control#roles

kat1906 commented 1 year ago

Hi @jdomeracki , thank you very much for raising this issue. I have added this item to our triage backlog and brought it to the team's attention.

Of course, we're more than willing to accept PRs if this is something you might be interested in assisting with, but rest assured we're going to look into this! πŸ˜„

ivanstanev commented 1 year ago

Hey @jdomeracki did you need to add any additional steps e.g. add a label or annotation to the ServiceAccount of the snyk-monitor, so that it is provisioned with the correct workload identity?