Skip to content

Managed Registries

Amazon Elastic Container Registry (ECR)

You must create an IAM OIDC identity provider for your cluster:

eksctl utils associate-iam-oidc-provider \
  --cluster <cluster_name> \
  --approve

Override the existing trivy-operator service account and attach the IAM policy to grant it permission to pull images from the ECR:

eksctl create iamserviceaccount \
  --name trivy-operator \
  --namespace trivy-system \
  --cluster <cluster_name> \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts

Azure Container Registry (ACR)

Before you can start, you need to install aad-pod-identity inside your cluster, see installation instructions: https://azure.github.io/aad-pod-identity/docs/getting-started/installation/

Create a managed identity and assign the permission to the ACR. 

export IDENTITY_NAME=trivy-operator-identity
export AZURE_RESOURCE_GROUP=<my_resource_group>
export AZURE_LOCATION=westeurope
export ACR_NAME=<my_azure_container_registry>

az identity create --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --location ${AZURE_LOCATION}

export IDENTITY_ID=(az identity show --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --query id -o tsv)
export IDENTITY_CLIENT_ID=$(az identity show --name ${IDENTITY_NAME} --resource-group ${AZURE_RESOURCE_GROUP} --query clientId -o tsv)
export ACR_ID=$(az acr show --name ${ACR_NAME} --query id -o tsv)

az role assignment create --assignee ${IDENTITY_CLIENT_ID} --role 'AcrPull' --scope ${ACR_ID}

create an AzureIdentity and AzureIdentityBinding resource inside your kubernetes cluster: 

apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
  name: trivy-identity
  namespace: trivy-system
spec:
  clientID: ${IDENTITY_ID}
  resourceID: ${IDENTITY_CLIENT_ID}
  type: 0


 apiVersion: aadpodidentity.k8s.io/v1
 kind: AzureIdentityBinding
 metadata:
   name: trivy-id-binding
   namespace: trivy-system
 spec:
   azureIdentity: trivy-operator-identity
   selector: trivy-operator-label

add scanJob.podTemplateLabels to the Trivy Operator config map, the value must match the AzureIdentityBinding selector.

kubectl -n trivy-system edit cm trivy-operator
# Insert scanJob.podTemplateLabels: aadpodidbinding=trivy-operator-label in data block

# validate
kubectl -ntrivy-system get cm trivy-operator -o jsonpath='{.data.scanJob\.podTemplateLabels}'

Google Container Registry (GCR)

Create an IAM service account for your application or use an existing IAM service account instead. You can use any IAM service account in any project in your organization. For Config Connector, apply the IAMServiceAccount object for your selected service account.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: trivy-operator-gsa
spec:
  displayName: trivy-operator-google-service-account

Ensure that your IAM service account has the roles you need. You can grant additional roles using the following command: 

gcloud projects add-iam-policy-binding <PROJECT_ID> \
    --member "serviceAccount: trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com" \
    --role <ROLE_NAME>

Allow the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.

gcloud iam service-accounts add-iam-policy-binding  trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT_ID>.svc.id.goog[trivy-system/trivy-operator]"

Annotate the Kubernetes service account with the email address of the IAM service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: trivy-operator-gsa@<PROJECT_ID>.iam.gserviceaccount.com
  name: trivy-operator
  namespace: trivy-system

Update your Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.

spec:
  serviceAccountName: trivy-operator-service
  nodeSelector:
    iam.gke.io/gke-metadata-server-enabled: "true"

Replace the following :

  • PROJECT_ID: your Google Cloud project ID.
  • GSA_PROJECT: the project ID of the Google Cloud project of your IAM service account.
  • ROLE_NAME: the IAM role to assign to your service account, like roles/spanner.viewer.

Use Workload Identity Referance