Google Registry

Google Container Registry

Prerequisites

  • A Service Account within one of the projects is created.

  • The required roles of Project Viewer is assigned to that service account.

Install Registry Scanner

Run the Registry Scanner as follows:

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gcr \
--set config.registryURL=<GCR_REGISTRY_URL> \
--set-file config.registryPassword=<GCR_SERVICE_ACCOUNT_KEY>
  • <GCR_SERVICE_ACCOUNT_KEY>: The path to an unencoded Service Account JSON access key.

    For example, sa-3b0c7dec5ea0.json

  • <GCR_REGISTRY_URL>: The Google Container Registry URL.

    For example, gcr.io or us.gcr.io

Google Artifact Registry

Prerequisites

  • A Service Account within one of the projects is created.

  • The required role Artifact Registry Reader is assigned to that service account.

Install Registry Scanner

You can set up the Registry Scanner either at the project level or the organization level.

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gar \
--set config.registryURL=<GAR_REGISTRY_URL> \
--set config.registryPassword=<GAR_REGISTRY_PASSWORD>
  • <GAR_REGISTRY_PASSWORD>: Base64 encoded Service Account JSON access key.

    To encode JSON key file to base64, use the following command: --set config.registryPassword="$(cat <GAR_SA_FILE_NAME>.json | base64)"

  • <GAR_REGISTRY_URL>: Google Artifact Registry URL.

    For example, us-docker.pkg.dev

Create a Custom Role

If you prefer not to assign the Project Viewer role to the Service Account, you can create a custom role with restricted permissions. The Custom Role should include only the necessary permission, such as resourcemanager.projects.get. This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Create a Custom Role at Project Level

gcloud iam roles create sysdig.repositorylist --project==<YOUR_PROJECT_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
  --member='serviceAccount:my-iam-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='projects/<YOUR_PROJECT_ID>/roles/sysdig.repositorylist'

Create a Custom Role at Organization Level


gcloud iam roles create sysdig.repositorylist --organization=<YOUR_ORGANIZATION_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_ORGANIZATION_ID> \
  --member='serviceAccount:my-iam-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='organizations/<YOUR_ORGANIZATION_ID>/roles/sysdig.repositorylist'