Skip to content

Managed Registries

Amazon Elastic Container Registry (ECR)

You must create an IAM OIDC identity provider for your cluster:

eksctl utils associate-iam-oidc-provider \
  --cluster <cluster_name> \
  --approve

Override the existing trivy-operator service account and attach the IAM policy to grant it permission to pull images from the ECR:

eksctl create iamserviceaccount \
  --name trivy-operator \
  --namespace trivy-system \
  --cluster <cluster_name> \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts

Azure Container Registry (ACR) - Workload Identity support

Please make sure the following is set up before using operator User steps to setup an AKS cluster and delegate access to specific private ACR The official steps for setting up Workload Identity on AKS can be found here.

  • Managed clusters or self-managed clusters installed, see docs
  • Mutating admission webhook installed, see docs

  • update trivy-operator service accout to include workload identity annotation and lables (update clientID and tenantID), Example:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: trivy-operator
  namespace: trivy-system
  labels:
    app.kubernetes.io/name: trivy-operator
    app.kubernetes.io/instance: trivy-operator
    app.kubernetes.io/version: "0.16.3"
    app.kubernetes.io/managed-by: kubectl
    azure.workload.identity/use: "true"
  annotations:
    azure.workload.identity/client-id: "client-id"
    azure.workload.identity/tenant-id: "tenant-id"
  • Add the following label to podTemplateLabels in helm settings : scanJob.podTemplateLabels=azure.workload.identity/use=true

Google Container Registry (GCR)

Create an IAM service account for your application or use an existing IAM service account instead. You can use any IAM service account in any project in your organization. For Config Connector, apply the IAMServiceAccount object for your selected service account.

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: trivy-operator-gsa
spec:
  displayName: trivy-operator-google-service-account

Ensure that your IAM service account has the roles you need. You can grant additional roles using the following command:

gcloud projects add-iam-policy-binding <PROJECT_ID> \
    --member "serviceAccount: trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com" \
    --role <ROLE_NAME>

Allow the Kubernetes service account to impersonate the IAM service account by adding an IAM policy binding between the two service accounts. This binding allows the Kubernetes service account to act as the IAM service account.

gcloud iam service-accounts add-iam-policy-binding  trivy-operator-gsa@<GSA_PROJECT>.iam.gserviceaccount.com \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:<PROJECT_ID>.svc.id.goog[trivy-system/trivy-operator]"

Annotate the Kubernetes service account with the email address of the IAM service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: trivy-operator-gsa@<PROJECT_ID>.iam.gserviceaccount.com
  name: trivy-operator
  namespace: trivy-system

Update your Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.

spec:
  serviceAccountName: trivy-operator-service
  nodeSelector:
    iam.gke.io/gke-metadata-server-enabled: "true"

Replace the following :

  • PROJECT_ID: your Google Cloud project ID.
  • GSA_PROJECT: the project ID of the Google Cloud project of your IAM service account.
  • ROLE_NAME: the IAM role to assign to your service account, like roles/spanner.viewer.

Use Workload Identity Referance