Managed Registries
Amazon Elastic Container Registry (ECR)
You must create an IAM OIDC identity provider for your cluster:
eksctl utils associate-iam-oidc-provider \
--cluster <cluster_name> \
--approve
Override the existing trivy-operator
service account and
attach the IAM policy to grant it permission to pull images from the ECR:
eksctl create iamserviceaccount \
--name trivy-operator \
--namespace trivy-system \
--cluster <cluster_name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
--approve \
--override-existing-serviceaccounts
Azure Container Registry (ACR) - Workload Identity support
Please make sure the following is set up before using operator User steps to setup an AKS cluster and delegate access to specific private ACR The official steps for setting up Workload Identity on AKS can be found here.
- Managed clusters or self-managed clusters installed, see docs
-
Mutating admission webhook installed, see docs
-
update trivy-operator service accout to include workload identity annotation and lables (update clientID and tenantID), Example:
apiVersion: v1
kind: ServiceAccount
metadata:
name: trivy-operator
namespace: trivy-system
labels:
app.kubernetes.io/name: trivy-operator
app.kubernetes.io/instance: trivy-operator
app.kubernetes.io/version: "0.16.3"
app.kubernetes.io/managed-by: kubectl
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: "client-id"
azure.workload.identity/tenant-id: "tenant-id"
- Add the following label to podTemplateLabels in helm settings :
scanJob.podTemplateLabels=azure.workload.identity/use=true
Google Container Registry (GCR)
Create an IAM service account for your application or use an existing IAM service account instead. You can use any IAM service account in any project in your organization. For Config Connector, apply the IAMServiceAccount object for your selected service account.
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
name: trivy-operator-gsa
spec:
displayName: trivy-operator-google-service-account
Ensure that your IAM service account has the roles you need. You can grant additional roles using the following command:
gcloud projects add-iam-policy-binding <PROJECT_ID> \
--member "serviceAccount: trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com" \
--role <ROLE_NAME>
Allow the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.
gcloud iam service-accounts add-iam-policy-binding trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:<PROJECT_ID>.svc.id.goog[trivy-system/trivy-operator]"
Annotate the Kubernetes service account with the email address of the IAM service account.
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
iam.gke.io/gcp-service-account: trivy-operator-gsa@<PROJECT_ID>.iam.gserviceaccount.com
name: trivy-operator
namespace: trivy-system
Update your Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.
spec:
serviceAccountName: trivy-operator-service
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
Replace the following :
- PROJECT_ID: your Google Cloud project ID.
- GSA_PROJECT: the project ID of the Google Cloud project of your IAM service account.
- ROLE_NAME: the IAM role to assign to your service account, like roles/spanner.viewer.