Scanning Images from ECR

The ksoc-sbom plugin runs on the customer’s cluster and is responsible for calculating the SBOM for each image that gets deployed. The plugin downloads images from the registry API and requires authentication for private repositories. For most registry types, imagePullSecrets are used to authenticate against the registry.

The ECR registry relies on short-lived tokens that are valid for 12 hours and service accounts which is not a standard way for authenticating against a registry API. The ksoc-plugins helm chart currently allows for a special secret to be provided that is maintained by the customer on the cluster that theksoc-sbom plugin can use to allow authentication to such a registry where imagePullSecrets are not possible.

Please note that the secret needs to be created in the same namespace where ksoc-plugins are deployed.

Configuring ksoc-sbom for ECR

Configure an environment variable to point at the secret that should be used for pulling ECR images as shown below:

ksocSbom:  
    image:  
      repository: us.gcr.io/ksoc-public/ksoc-sbom  
      tag: v0.0.42  
    env:  
      IMAGE_PULL_SECRETS: ecr-creds

ecr-creds secret can be created as follows:

ECR_TOKEN=`aws ecr get-login-password --region ${AWS_REGION}`  
DOCKER_SECRET_NAME=ecr-creds

kubectl create secret docker-registry $DOCKER_SECRET_NAME  
--docker-server=<https://${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com>  
--docker-username=AWS  
--docker-password="${ECR_TOKEN}"  
--namespace=${KSOC_PLUGINS_NAMESPACE}

There are open-source solutions to keep refreshing that secret every 12 hours to keep it valid, for example: https://github.com/nabsul/k8s-ecr-login-renew