outdated
outdated copied to clipboard
replicatedhq
Option to validate against private registries
Is there any option to validate images that are coming from private registries?
@adamancini Because outdated runs as a kubectl plugin, it uses your local registry credentials. Private images will be scanned, if you are also logged in to the same registries from your workstation.
We could pull image pull secrets from the podSpec when we scan and use those credentials also/instead. I haven't thought through the feasibility or security implications of this, except to know that we need to think through the security implications before doing it.
Does docker login work for private images now? Or are you looking for a more automated solution that uses the cluster credentials?
I'm able to successfully login to the private registry using docker login locally, but still no luck with validating images. I'm still getting Unable to get image data
- Validate local docker login
❯ docker login anecik8sinfrastructure.azurecr.io
Authenticating with existing credentials...
Login Succeeded
- Manually pull the image
❯ docker pull anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
v1.0.0: Pulling from net/hellotcp
4f4fb700ef54: Pull complete
c6d5d55350d6: Pull complete
5ff22a2c5594: Pull complete
Digest: sha256:2231321833a45f430161d2baec56fc35a4e6f107aa5de8f4aa4363fc57963a5d
Status: Downloaded newer image for anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
anecik8sinfrastructure.azurecr.io/net/hellotcp:v1.0.0
- Run
outdatedplugin
❯ kubectl outdated
Image Current Latest Behind
................................
anecik8sinfrastructure.azurecr.io/net/hellotcp v1.0.0 Unable to get image data
................................
On the other hand, I think it would be a more elegant way to get imagePullSecrets from the podSpec than running docker login. What security implications do you think can block such a feature?