Configuring Container Vulnerability Assessment (CVA)

Before you can begin assessing container images and workloads in your environment for vulnerabilities, some configuration is required within the relevant cloud service provider (CSP). For more information on what container services and registries InsightCloudSec supports, see Support.

Prerequisites

  • InsightCloudSec Admin permissions (Domain or Org Admin)
  • Appropriate permissions in AWS, Azure, and/or GCP:
    • For you to create roles or policies
    • For InsightCloudSec to execute container assessments (outlined in the following sections)
  • Optional - Kubernetes Security Guardrails enabled if you want to have the workloads deployed into a Kubernetes cluster scanned for vulnerabilities using CVA

Windows not supported

CVA does not currently support Windows images.

AWS

The permissions included in this section are required to enable container assessments within AWS environments.

You have two options for enabling CVA for AWS:

  • Navigate to the IAM policy associated with InsightCloudSec and manually add the AWS CVA Permissions to it
  • Attach the AWS CVA Policy to the role associated with InsightCloudSec

For instructions on configuring AWS EKS clusters, see Kubernetes Remote Scanner for EKS.

Default Permissions

If you used the universal AWS onboarding experience, the AWS CVA policy is included by default. This means it is easiest to perform CVA configuration while onboarding an account/organization. If you onboarded AWS accounts prior to the release of the universal onboarding experience (before InsightCloudSec v. 23.4.11) or did not enable CVA within the onboarding experience, you will most likely need to add the permissions or attach the policy manually.

AWS CVA Permissions

The following table contains the minimum required permissions to enable CVA for the policies associated with InsightCloudSec:

json
1
"ecr:GetAuthorizationToken",
2
"ecr:BatchCheckLayerAvailability",
3
"ecr:GetDownloadUrlForLayer",
4
"ecr:BatchGetImage"
AWS CVA Policy

The AWS CVA User Policy can be used to create a custom policy within AWS that contains all the permissions necessary for CVA. Review the AWS IAM documentation for more information.

Role Attachment

This policy should be attached to your existing InsightCloudSec harvesting role (created during AWS Onboarding).

json
1
{
2
  "Statement": [
3
    {
4
      "Action": [
5
        "ecr:GetAuthorizationToken",
6
        "ecr:BatchCheckLayerAvailability",
7
        "ecr:GetDownloadUrlForLayer",
8
        "ecr:BatchGetImage"
9
      ],
10
      "Effect": "Allow",
11
      "Resource": "*",
12
      "Sid": "AllowEcrReadOnlyAccessForVulnerabilityScanning"
13
    }
14
  ],
15
  "Version": "2012-10-17"
16
}

Azure

The permissions included in this section are required to enable container assessments within Azure environments.

To enable CVA for Azure:

  1. Navigate to the role associated with InsightCloudSec and manually add the Azure CVA Permissions to it

For instructions on configuring AKS clusters, see Kubernetes Remote Scanner for AKS.

Default Permissions

If you used the universal Azure onboarding experience, the Azure CVA permissions are included with all default recommended roles. This means you most likely will not need to manually update the permissions for or attach the Azure CVA role to the role associated with InsightCloudSec.

Azure CVA Permissions

The following table contains the minimum required permissions to enable CVA for the role associated with InsightCloudSec:

PermissionDescription
Microsoft.ContainerRegistry/registries/pull/readRequired to read from Azure Container Registries

GCP

The permissions included in this section are required to enable container assessments within GCP environments.

To enable CVA for GCP:

  1. Navigate to the service account associated with InsightCloudSec and manually add the GCP CVA Permissions to it

For instructions on configuring GKE clusters, see Kubernetes Remote Scanner for GKE.

Default Permissions

If you used the universal GCP onboarding experience, some of the GCP CVA permissions are not included with the default onboarding permissions. This means you most likely will need to manually update the permissions for the service account associated with InsightCloudSec.

GCP CVA Permissions

The following table contains the minimum required permissions to enable CVA for the service account associated with InsightCloudSec:

PermissionDescription
storage.buckets.getRequired for retrieving information from storage buckets
artifactregistry.dockerimages.getRequired for retrieving images from the Artifact Registry

Configuring CVA

Before container images can be regularly assessed for vulnerabilities, you must enable the feature. These configuration settings can be found on the Vulnerability Settings page, which is accessed from the Vulnerabilities page.

To turn on container assessments:

Settings are per InsightCloudSec Organization

The Vulnerability Settings are unique to the particular InsightCloudSec Organization you are logged in to. For more information on InsightCloudSec Organizations (not to be confused with Cloud Organizations), see Organizations.

  1. Login to InsightCloudSec and navigate to the Vulnerabilities page.
  2. Click Settings.
  3. Navigate to the Container Assessment tab.
  4. Click the Enable Container Vulnerability Assessment toggle. The list of Registries appears.

Support

The following sections outline the various container services and registries that InsightCloudSec supports for container assessment.

Cloud provider services

InsightCloudSec supports assessing images inside the following services with no additional configuration:

  • Amazon Web Services (AWS), Elastic Container Service (ECS), and Elastic Kubernetes Service (EKS)
  • Azure or Azure Kubernetes Service (AKS)
  • Google Cloud Platform (GCP) or Google Kubernetes Engine (GKE)

Cloud provider container registries

InsightCloudSec also supports assessing images in the following registries with no additional configuration:

  • AWS Elastic Container Registry (ECR)

ECR Image Name Affects Assessment

InsightCloudSec currently can only support assessing images in private ECR repositories when a container refers to them by the default ECR naming convention (<account-number>.dkr.ecr.<region-name>.amazonaws.com)

  • Azure Container Registry (ACR)
  • GCP Artifact Registry or Google Container Registry (GCR)

Third party as-a-service registries

InsightCloudSec can support all third party as-a-service registries, including Private DockerHub, JFrog, Quay, and Harbor. These registries can be assessed with no authentication, username and password authentication, or API key authentication. InsightCloudSec supports the following unauthenticated third party as-a-service registries with no additional configuration:

Don't see your preferred registry?

If you don't see your preferred registry in the following list, you can add a registry within InsightCloudSec.

  • Alibaba Cloud
    • registry.aliyuncs.com
  • Docker
    • docker.io
    • registry.hub.docker.com
    • us-docker.pkg
  • GitHub
    • ghcr.io
  • Google
    • gke.gcr.io
    • gcr.io
    • k8s.gcr.io
    • registry.gcr.io
    • *.gcr.iok8s-artifacts-prod
  • IBM
    • icr.io
  • Linkerd
    • cr.l5d.io
  • Linux Server
    • lscr.io
  • Kubernetes
    • registry.k8s.io
  • Microsoft
    • mcr.microsoft.com
  • Quay
    • quay.io
  • Upbound
    • xpkg.upbound.io

Authenticated registry support

InsightCloudSec also supports assessing container images in both as-a-service and self-hosted authenticated private registries. These registries require either username and password authentication or API token authentication.

Self-hosted registry support

Note that currently, self-hosted registry support requires providing InsightCloudSec network access to your self-hosted registries. Details on adding and configuring network access for self-hosted registries can be found in the managing registries section below.

Managing registries

For registries not listed in the Support section, you'll need to manually add the registry and configure authentication (if any) within InsightCloudSec. Registries can be edited, enabled, disabled, or deleted at anytime from the Action menu.

To add a registry:

  1. Navigate to the Vulnerability Settings > Container Assessment page.

  2. Click + Add Registry.

  3. Provide a name, base URL, and optional description for the registry.

    Base URL supports glob patterns

    The base URL supports glob patterns. For example, *.base-url.com/path/to/resource/*

  4. Select if the registry is Unauthenticated or Authenticated.

  5. If you selected Authenticated:

    1. Select an Authentication Type: Token or Username and Password.
      1. If you selected Token: provide the token.
      2. If you selected Username and Password: provide a username and password.
    2. Click Add Registry.

  6. If you selected Unauthenticated:

    1. Click Add Registry.

As-a-service registries and self-hosted registries with open network access are enabled by default, so containers are assessed as soon as possible. If your self-hosted registry is not internet-accessible, reach out to your CSA to receive a InsightCloudSec egress IP unique to your account that you can use when configuring ingress policies to allow access to your registry.

To edit a registry:

  1. Navigate to the Vulnerability Settings > Container Assessment page.
  2. For a given registry, click the Action menu (...).
  3. Click Edit.
  4. Adjust the registry details as necessary.
  5. Click Update Registry.

Troubleshooting

If you're experiencing issues harvesting and assessing images and container workloads, review the Cloud VM CVA FAQ (particularly this question) or contact support.

Using Cloud VM

Once cloud and Kubernetes onboarding & CVA configuration is complete, images will begin being harvested and assessed for vulnerabilities automatically. Cloud VM is available from the main navigation in InsightCloudSec under Security > Vulnerabilities. Review Reviewing and Managing Vulnerabilities for more information.