Adding integrations with external image registries

Integrated registries support only local image repositories that directly contain the images. In version 1.1, Kaspersky Container Security does not support working with remote or virtual repositories.

To add an integration with an external registry:

1. In the Administration → Integrations → Image registries section, click the Add registry button.

   The integration settings window opens.

2. On the Registry details tab, specify the settings for connection to the registry:
   1. Enter the name of the registry.
   2. If required, enter a description of the registry.
   3. Select the registry type from the drop-down list.
   4. If you set up JFrog Artifactory registry integration, to access Docker, in the Repository Path drop-down list, select one of the following methods:
      • Repository path.
      • Subdomain.
      • Port.
   5. If you set up a JFrog Artifactory, Harbor, or Sonatype Nexus Repository OSS registry integration, enter the full web address of the registry. We recommend that you use HTTPS connection (HTTP connection is also supported).

      If you use HTTP or HTTPS with a self-signed or invalid certificate, you should check the insecure-registry box for the Docker engine on the nodes where the server and scanner are installed.

   6. If you set up a Gitlab Registry registry integration, provide the full web addresses (URLs) of the registry and registry API.
   7. If you set up a registry integration for Docker Hub or JFrog Artifactory, choose an authentication method: with an account or API key. For Sonatype Nexus Repository OSS registries, you can only use authentication with an account.
   8. Specify the data required for authentication.
3. Go to the Image scan details tab and specify the maximum time for scanning images from this registry (in minutes).

   If image scanning lasts longer than the specified time, the scanning stops and the image is returned to the scanning queue. The solution will requeue the image up to 3 times. This means that the time required to scan an image from the registry may be tripled.

4. Configure the image pull and scan settings for the registry. By default, the Manual option is selected in Pull and scan images: images are not automatically pulled from the registry, but the user can manually add images to the list of images for scanning. New images are automatically queued for scanning.

   If you want images to be pulled from the registry and queued for scanning automatically, select Automatic in Pull and scan images and configure the settings for image pulling and scanning. The following options are available:

   • Scan timeout – a block of settings that determine the frequency at which images are pulled from the registry for scanning. The time is specified in accordance with the time of the node on which the Kaspersky Container Security Server is deployed.
   • Rescan images – if you check this box, images that were previously pulled from the registry are rescanned each time new images are scanned.
   • Name/tag criteria – you can use name and/or image tag pattern to specify which images to pull and scan. If you check the box, Kaspersky Container Security will only pull those images that match the specified patterns for scanning.

     You can use criteria in the following patterns:

     • by image name and tag – <name><:tag>
     • by image name only – <name>
     • by image tag only – <:tag>

     For example:

     • for the alpine pattern, all images with the name "alpine" are pulled, regardless of the tag;
     • for the 4 pattern, all images with tag 4 are pulled, regardless of the image name;
     • for the alpine:4 pattern, all images with the name "alpine" and tag 4 are pulled.

     When generating criteria, you can use the * character, which replaces any number of characters.

     To add a criterion, enter it in the field and click the Add button. You can add one or more criteria.

   • Additional conditions for image pulling.
     • If no additional conditions are required, select No additional conditions.
     • Images created within – select this option if you want to only pull images created within a specific period (for a specified number of days, months, or years). Specify the duration of the period and the unit of measurement in the fields on the right. By default, the period is 60 days long.
     • Latest – select this option if you want to only pull images with the latest tags (from the date of image creation). In the field on the right, specify the number of latest tags to consider.
   • Never pull images with the name/tag pattern – you can use image name/tag patterns to specify which images are excluded from pulling and scanning.
   • Always pull images with the name/tag pattern – you can use image name/tag patterns to specify which images are always pulled and scanned, regardless of other conditions set above.
5. Click the Save button in the top of the window to save the registry integration settings.