先日、Sysdig SecureのレジストリスキャンがGAになったので、さっそく試しみてみました。今回はシングルアカウント環境におけるAmazon Elastic Container Registry (ECR)に対するレジストリスキャンの手順をご紹介します。
参照ドキュメント
前提条件
レジストリスキャンを実施するregistry-scannerはKubernetes上でコンテナとして動作します。そのため、Kubernetes環境が必要 です。
レジストリスキャンを実施するIAM Userの作成
Elastic Kubernetes Service (EKS) とレジストリが同じアカウントにある場合で、AWS EKS上にregistry-scannerをインストールする場合はIAM Userの作成は不要です。EKS はすでにデフォルトの nodes-eks-node-group-* ロールに AmazonEC2ContainerRegistryReadOnly ポリシーを付与しているため、特別な認証情報の設定は必要ありません。
以下の権限を割り当てます。
ecr:GetAuthorizationToken
ecr:BatchCheckLayerAvailability
ecr:GetDownloadUrlForLayer
ecr:GetRepositoryPolicy
ecr:DescribeRepositories
ecr:ListImages
ecr:DescribeImages
ecr:BatchGetImage
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:ListTagsForResource
ecr:DescribeImageScanFindings
Helmによるregistry-scannerのインストール
以下のコマンドでregistry-scannerをKubernetes環境にインストールします。
SYSDIG_SECURE_URLの値はご利用のSysdig SaaSリージョンにより異なります。下記ドキュメントをご参照ください。
https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
helm repo add sysdig https://charts.sysdig.com
helm repo update
helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=ecr \
--set config.registryURL=<AWS_REGISTRY_URL> \
--set config.aws.region=<AWS_REGION> \
--set config.aws.accessKeyId=<AWS_ACCESS_KEY_ID> \
--set config.aws.secretAccessKey=<AWS_SECRET_ACCESS_KEY>
AWS_ACCESS_KEY_IDとAWS_SECRET_ACCESS_KEYには、先ほど作成したレジストリスキャン用IAM UserのAccess KeyとSecret Access Keyを指定します(Elastic Kubernetes Service (EKS) とレジストリが同じアカウントにある場合で、AWS EKS上にregistry-scannerをインストールする場合は不要です)。
Helmのインストールログ
Release "registry-scanner" does not exist. Installing it now.
NAME: registry-scanner
LAST DEPLOYED: Thu Apr 27 08:39:58 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
# ============================================================================================
# Info: Chart version 1.0.4 has been installed with Registry Scanner 0.2.31.
#
# The chart version follows SemVer (https://semver.org/), you can pin
# the chart version with --version=1, --version=1.0, --version=1.0.0, etc.
# Using --version=1 will ensure that you get the latest 1.x.x version, but
# you don't get any breaking changes when updating.
#
# For more information, or you are still using the legacy scanning engine,
# please check the documentation:
# > https://docs.sysdig.com/en/docs/installation/container-registry-scanner/
# ============================================================================================
#
# Cronjob 'registry-scanner' with schedule: "0 6 * * 6" has been created to perform a periodical scan.
# For troubleshooting, check the status of the jobs and logs of the 'registry-scanner' pods that are created on every execution.
#
下記コマンドで、Cronjobとして登録されていることを確認します。
kubectl get cronjob
デフォルトでは毎週土曜日の午前6時にスキャンが実行される設定で登録されています。
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
registry-scanner 0 6 * * 6 False 0 <none> 88s
手動によるレジストリスキャン
レジストリスキャンを手動で実行する場合は、下記コマンドを実行します。
kubectl create job --from=cronjob/registry-scanner registry-scanner-manual-test
起動したregistry-scannerのPodを確認します。
kubectl get pod
NAME READY STATUS RESTARTS AGE
registry-scanner-manual-test-s2xhz 0/1 Completed 0 41s
registry-scanner-worker-dd42x-1-mk8gj 0/1 Completed 0 33s
Podのログを確認します。
kubectl logs registry-scanner-manual-test-s2xhz
registry-scanner Podのログ
{"level":"info","component":"main","time":"2023-04-27T08:43:57Z","message":"Starting registry-scanner version v0.2.31-2023-04-19T17:09:54Z"}
{"level":"info","component":"config","time":"2023-04-27T08:43:57Z","message":"reading config from: /config.yaml"}
{"level":"info","component":"main","time":"2023-04-27T08:43:57Z","message":"################## configuration ######################"}
{"level":"info","component":"main","time":"2023-04-27T08:43:57Z","message":"Sysdig secure config, Secure URL: https://app.us4.sysdig.com"}
{"level":"info","component":"main","time":"2023-04-27T08:43:57Z","message":"scanner config, with workers: 5"}
{"level":"info","component":"init-newvmscanner-k8s-job","time":"2023-04-27T08:43:57Z","message":"Creating new vulnerability-management scanner (K8s job)"}
{"level":"info","component":"init-newvmscanner-k8s-job","time":"2023-04-27T08:43:57Z","message":"Scanner Options: map[jobs:map[resources:map[limits:map[memory:2Gi] requests:map[cpu:500m memory:500Mi]] serviceaccountname:registry-scanner temporaryvolumesizelimit:2Gi ttlsecondsafterfinished:600] k8sincluster:true labels:map[] namespace:default runner:new-vm-scanner-k8s-job securitycontext:map[] workers:5] "}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"credentials provider type: 'ecr'"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"using AWS ECR default credentials"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"registry client type: 'ecr'"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"using AWS ECR single-account client"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"general filter, include: []"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"general filter, exclude: []"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"general filter, max age days: 90 "}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"general filter, max tags per repository: 5"}
{"level":"info","component":"factory","time":"2023-04-27T08:43:57Z","message":"general filter, max repositories per registry: 500"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:43:57Z","message":"############## metadata fetching phase #################"}
{"level":"info","component":"google-client","time":"2023-04-27T08:43:57Z","message":"Limiting to 500 repositories (filter.maxRepositoriesPerRegistry setting)"}
{"level":"info","component":"google-client","time":"2023-04-27T08:43:57Z","message":"found repositories: 2"}
{"level":"info","component":"google-client","time":"2023-04-27T08:43:57Z","message":"2/2, getting tags concurrently from repository yo-repo"}
{"level":"info","component":"google-client","time":"2023-04-27T08:43:57Z","message":"1/2, getting tags concurrently from repository cdk-hnb659fds-container-assets-487433680518-ap-northeast-1"}
{"level":"info","component":"repo-retriever-info-filler","time":"2023-04-27T08:43:57Z","message":"found 1 images"}
{"level":"info","component":"image-retriever-repos","time":"2023-04-27T08:43:57Z","message":"after filters were applied, 1 images are going to be scanned"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:43:57Z","message":"################ scanning phase ######################"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:43:57Z","message":"Creating registry report. Num. of workers: 5"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:43:57Z","message":"Pending images: 1"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:44:04Z","message":"<AWS_ACCOUNT_ID>.dkr.ecr.ap-northeast-1.amazonaws.com/yo-repo:latest, (job registry-scanner-worker-dd42x-1) scan completed with status: success"}
{"level":"info","component":"report-builder","time":"2023-04-27T08:44:04Z","message":"Registry image scan has finished. Total: 1 = Success: 1 + Failed: 0 + Skipped: 0"}
スキャン結果のSysdig UIでの確認
Sysdig UIにログインし、Vulnerabilities > Registry に移動します。
レジストリ内のイメージのスキャン結果が表示されていることを確認します。
クリーンアップ
registry-scannerをアンインストールするには以下のコマンドを実行します。
kubectl delete job registry-scanner-manual-test
sudo helm uninstall registry-scanner
まとめ
registry-scannerを使って、シングルアカウント環境でのAmazon ECRのレジストリスキャンを簡単に実行できることが確認できました。