Adding integrations with external image registries

Integrated registries support only local image repositories that directly contain the images. In version 1.2, Kaspersky Container Security does not support working with remote or virtual repositories.

To add an integration with an external registry:

1. In the Administration → Integrations → Image registries section, click the Add registry button.

   The integration settings window opens.

2. On the Registry details tab, specify the settings for connection to the registry:
   1. Enter the name of the registry.
   2. If required, enter a description of the registry.
   3. Select the registry type from the drop-down list. Kaspersky Container Security supports the following types of registries:
      • Harbor (integration using the Harbor V2 API).
      • GitLab Registry (integration using the GitLab Container Registry API).
      • JFrog Artifactory (integration using the JFrog API).
      • Sonatype Nexus Repository OSS (integration using the Nexus API).
      • Yandex Registry (integration using the Yandex Container Registry API).
      • Docker Hub (integration using the Docker Hub API).
      • Docker Registry (integration using the Docker V2 API).

      The Docker Registry can be accessed using the Docker V2 API if you are configuring integration with the Sonatype Nexus Repository OSS, Harbor, JFrog Artifactory (using a port or a subdomain), or Yandex Registry. Integrations with GitLab Registry, Docker Hub, and JFrog Artifactory (via Repository Path) are not supported.

   4. If you set up a JFrog Artifactory registry integration, select one of the following methods in the Repository Path method drop-down list to access Docker:
      • Repository path.
      • Subdomain.
      • Port.
   5. If you configure an integration with such registry as JFrog Artifactory, Harbor, GitLab Registry, Sonatype Nexus Repository OSS, or Docker Registry, enter the full registry web address (URL) that directly leads to the container registry. We recommend that you use HTTPS connection (HTTP connection is also supported).

      If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.

   6. If you configure an integration with such registry as JFrog Artifactory, Harbor, GitLab Registry, and Sonatype Nexus Repository OSS, enter the full web address (URL) that leads to the registry API.
   7. Select an authentication method and specify the necessary data for it as follows:
      • If you configure an integration with such registry as GitLab Registry, select authentication using an account or an access token.
      • If you configure an integration with such a registry as Yandex Registry, select authentication using an API key (Yandex OAuth token) or using a user name and token. Specify oauth for the user name when using the Yandex OAuth token, or iam when using the Yandex IAM token.
      • For such registries as Sonatype Nexus Repository OSS and Docker Hub, authentication is performed only with an account.
      • For such a registry as Harbor, authentication is only permitted with an account of a user or a robot.
      • For such a registry as Docker Registry, authentication is only conducted using a user name and password, which are provided by the Docker V2 API.
3. Go to the Image scan details tab and specify the scan timeout for scanning images from this registry (in minutes).

   If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.

4. Configure the image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.

   If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:

   • Scan timeout—a block of settings that determine the frequency at which images are pulled from the registry for scanning. The time is specified in accordance with the time of the node on which the Kaspersky Container Security Server is deployed.
   • Rescan images—if you check this box, images that were previously pulled from the registry are rescanned each time new images are scanned.
   • Name/tag criteria—you can use name criterion and/or image tag pattern to specify which images to pull and scan. If you check the box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.

     You can use criteria in the following patterns:

     • by image name and tag – <name><:tag>
     • by image name only – <name>
     • by image tag only – <:tag>

     For example:

     • for the alpine pattern, all images with the name "alpine" are pulled, regardless of the tag;
     • for the 4 pattern, all images with tag 4 are pulled, regardless of the image name;
     • for the alpine:4 pattern, all images with the name "alpine" and tag 4 are pulled.

     When generating criteria, you can use the * character, which replaces any number of characters.

     To add a criterion, enter it in the field and click the Add button. You can add one or more criteria.

   • Additional conditions for image pulling.
     • If no additional conditions are required, select No additional conditions.
     • Images created within – select this option if you want to only pull images created within a specific period (for a specified number of days, months, or years). Specify the duration of the period and the unit of measurement in the fields on the right. By default, the period is 60 days long.
     • Latest - select this option if you want to only pull images with the latest tags (from the date of the image creation). In the field on the right, specify the number of latest tags to consider.
   • Never pull images with the name/tag pattern - using image name/tag patterns you can specify, which images are excluded from pulling and scanning.
   • Always pull images with the name/tag pattern—using image name/tag patterns you can specify, which images are always pulled and scanned, regardless of other conditions set above.
5. Click Test connection to see if a connection with the registry can be established.
6. Click the Save button in the top of the window to save the registry integration settings.