aquasecurity
feat: Provide credentials in imagePullSecret without global access
Description
When running a cluster that contains images from a private registry one needs to configure authentication. This is done by using kubernetes ImagePullSecrets. By default the trivy-operator is able to read the secrets attached to a target workload and use them to access the container registry.
While this is necessary when working with different registries inside the cluster, this comes with one security downside: the operator needs access to all secrets inside the cluster.
If all images are being pulled from a single private registry then one ImagePullSecret can be used for all of them. The easiest one to use is inside the operator namespace (because the operator has access to secrets in its own namespace).
This change does not impact any deployments running with default settings (global access enabled). But in case one disables that access this allows to instead read a single ImagePullSecret and use it for all images.
Related issues
- Close #2158
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [ ] I've added tests that prove my fix is effective or that my feature works.
- [ ] I've updated the documentation with the relevant information (if needed).
- [ ] I've added usage information (if the PR introduces new options)
- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).
Hey, this MR is not finished (and tests will fail for sure), but I wanted to get your opinion on my approach first - afterwards, I will try to add and fix the necessary tests.
operator:
accessGlobalSecretsAndServiceAccount: false
privateRegistryScanSecretsNames: {"trivy-operator":"internal-pullsecret"}
With this change the above configuration would allow the trivy-operator to pull all images inside the cluster that use the same private registry - while not having to grant it access to every secret in the entire cluster.
WDYT?
Hey @chen-keinan, I finally found the time to finalize this PR - it's ready for review now.
FYI: I don't have much experience in Go - so any hints about styling or optimizations are welcome!
Hey @chen-keinan, just wanted to check in - what to you think about these changes? Thanks!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey, we would still like this to be merged. @chen-keinan do you mind giving it a review?
@maltemorgenstern thanks a lot for your contribution and sorry for really long delay to your PR.
can we follow up this job? thanks
Hey @afdesk and @simar7, thanks for looking into this MR. I will try to rebase/update the branch in the next few days (just need to find some time) 👍
@maltemorgenstern great to hear it! thanks a lot for your contribution!
we (@simar7 ) have a concern about backward compatibilities, please, feel free to correct me.
Now globalAccessEnabled is disabled by default, right?
maybe should we keep it true by default?
@simar7 @maltemorgenstern I've updated a bit this useful PR. could you take another look again? thanks