Appendix

Create ACS init bundle in ACS Portal

Create the init bundle using the ACS Portal:

  • Navigate to Platform Configuration → Integrations.
  • Under the Authentication Tokens section, click on Cluster Init Bundle.
  • Click Generate bundle
  • Enter a name for the cluster init bundle and click Generate.
  • Click Download Kubernetes Secret File to download the generated bundle.

If you are running oc on your laptop, you are set. If you are SSH-ing to another host (like the bastion host) to run oc, you have to scp the init bundle file over there. If you are using the OpenShift Web Terminal you have to use the API method.

Create a serviceaccount to scan the internal OpenShift registry

The integrations to the internal registry were created automatically. But to enable scanning of images in the internal registry, you’ll have to configure valid credentials, so this is what you’ll do:

  • add a serviceaccount
  • assign it the needed privileges
  • configure the Integrations in ACS with the new credentials

But the first step is to disable the auto-generate mechanism, otherwise your updated credentials would be set back automatically:

  • In the OpenShift Web Console, switch to the project stackrox, go to Installed Operators->Advanced Cluster Security for Kubernetes
  • Open your Central instance stackrox-central-services
  • Switch to the YAML view, under spec: add the following YAML snippet (one indent):
customize:
    envVars:
      - name: ROX_DISABLE_AUTOGENERATED_REGISTRIES
        value: 'true'
  • Click Save

Create ServiceAccount to read images from Registry

  • In the OpenShift Web Console make sure you are still in the stackrox Project
  • User Management -> ServiceAccounts -> Create ServiceAccount
  • Replace the example name in the YAML with acs-registry-reader and click Create
  • In the new ServiceAccount, under Secrets click one of the acs-registry-reader-token-... secrets
  • Under Data copy the Token
  • Using oc give the ServiceAccount the right to read images from all projects:
oc adm policy add-cluster-role-to-user 'system:image-puller' system:serviceaccount:stackrox:acs-registry-reader -n stackrox

Configure Registry Integrations in ACS

Access the ACS Portal and configure the already existing integrations of type Generic Docker Registry. Go to Platform Configuration -> Integrations -> Generic Docker Registry. You should see a number of autogenerated (from existing pull-secrets) entries.

You have to change four entries pointing to the internal registry, you can easily recognize them by the placeholder Username serviceaccount.

For each of the four local registry integrations click Edit integration using the three dots at the right:

  • Put in acs-registry-reader as Username
  • Paste the token you copied from the secret into the Password field
  • Select Disable TLS certificate validation
  • Press the Test button to validate the connection and press Save when the test is successful.

ACS is now able to scan images in the internal registry!